GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc5607

Network Working Group D. Nelson Request for Comments: 5607 Elbrys Networks, Inc. Category: Standards Track G. Weber

                                                Individual Contributor
                                                             July 2009

Remote Authentication Dial-In User Service (RADIUS) Authorization for

               Network Access Server (NAS) Management

Abstract

 This document specifies Remote Authentication Dial-In User Service
 (RADIUS) attributes for authorizing management access to a Network
 Access Server (NAS).  Both local and remote management are supported,
 with granular access rights and management privileges.  Specific
 provisions are made for remote management via Framed Management
 protocols and for management access over a secure transport protocol.

Status of This Memo

 This document specifies an Internet standards track protocol for the
 Internet community, and requests discussion and suggestions for
 improvements.  Please refer to the current edition of the "Internet
 Official Protocol Standards" (STD 1) for the standardization state
 and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

 Copyright (c) 2009 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents in effect on the date of
 publication of this document (http://trustee.ietf.org/license-info).
 Please review these documents carefully, as they describe your rights
 and restrictions with respect to this document.
 This document may contain material from IETF Documents or IETF
 Contributions published or made publicly available before November
 10, 2008.  The person(s) controlling the copyright in some of this
 material may not have granted the IETF Trust the right to allow
 modifications of such material outside the IETF Standards Process.
 Without obtaining an adequate license from the person(s) controlling
 the copyright in such materials, this document may not be modified
 outside the IETF Standards Process, and derivative works of it may

Nelson & Weber Standards Track [Page 1] RFC 5607 RADIUS NAS-Management Authorization July 2009

 not be created outside the IETF Standards Process, except to format
 it for publication as an RFC or to translate it into languages other
 than English.

Table of Contents

 1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
 2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
 3.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
 4.  Domain of Applicability  . . . . . . . . . . . . . . . . . . .  5
 5.  New Values for Existing RADIUS Attributes  . . . . . . . . . .  6
   5.1.  Service-Type . . . . . . . . . . . . . . . . . . . . . . .6
 6.  New RADIUS Attributes  . . . . . . . . . . . . . . . . . . . .  6
   6.1.  Framed-Management-Protocol . . . . . . . . . . . . . . . .  6
   6.2.  Management-Transport-Protection  . . . . . . . . . . . . . 9
   6.3.  Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
   6.4.  Management-Privilege-Level . . . . . . . . . . . . . . . . 13
 7.  Use with Dynamic Authorization . . . . . . . . . . . . . . . . 15
 8.  Examples of Attribute Groupings  . . . . . . . . . . . . . . . 15
 9.  Diameter Translation Considerations  . . . . . . . . . . . . . 17
 10. Table of Attributes  . . . . . . . . . . . . . . . . . . . . . 18
 11. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 19
 12. Security Considerations  . . . . . . . . . . . . . . . . . . . 20
   12.1. General Considerations . . . . . . . . . . . . . . . . . . 20
   12.2. RADIUS Proxy Operation Considerations  . . . . . . . . . . 22
 13. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 23
 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
   14.1. Normative References . . . . . . . . . . . . . . . . . . . 23
   14.2. Informative References . . . . . . . . . . . . . . . . . . 23

Nelson & Weber Standards Track [Page 2] RFC 5607 RADIUS NAS-Management Authorization July 2009

1. Introduction

 RFC 2865 [RFC2865] defines the NAS-Prompt (7) and Administrative (6)
 values of the Service-Type (6) Attribute.  Both of these values
 provide access to the interactive, text-based Command Line Interface
 (CLI) of the NAS, and were originally developed to control access to
 the physical console port of the NAS, most often a serial port.
 Remote access to the CLI of the NAS has been available in NAS
 implementations for many years, using protocols such as Telnet,
 Rlogin, and the remote terminal service of the Secure SHell (SSH).
 In order to distinguish local, physical, console access from remote
 access, the NAS-Port-Type (61) Attribute is generally included in
 Access-Request and Access-Accept messages, along with the Service-
 Type (6) Attribute, to indicate the form of access.  A NAS-Port-Type
 (61) Attribute with a value of Async (0) is used to signify a local
 serial port connection, while a value of Virtual (5) is used to
 signify a remote connection, via a remote terminal protocol.  This
 usage provides no selectivity among the various available remote
 terminal protocols (e.g., Telnet, Rlogin, SSH, etc.).
 Today, it is common for network devices to support more than the two
 privilege levels for management access provided by the Service-Type
 (6) Attribute with values of NAS-Prompt (7) (non-privileged) and
 Administrative (6) (privileged).  Also, other management mechanisms
 may be used, such as Web-based management, the Simple Network
 Management Protocol (SNMP), and the Network Configuration Protocol
 (NETCONF).  To provide support for these additional features, this
 specification defines attributes for Framed Management protocols,
 management protocol security, and management access privilege levels.
 Remote management via the command line is carried over protocols such
 as Telnet, Rlogin, and the remote terminal service of SSH.  Since
 these protocols are primarily for the delivery of terminal or
 terminal emulation services, the term "Framed Management" is used to
 describe management protocols supporting techniques other than the
 command line.  Typically, these mechanisms format management
 information in a binary or textual encoding such as HTML, XML, or
 ASN.1/BER.  Examples include Web-based management (HTML over HTTP or
 HTTPS), NETCONF (XML over SSH or BEEP or SOAP), and SNMP (SMI over
 ASN.1/BER).  Command line interface, menu interface, or other text-
 based (e.g., ASCII or UTF-8) terminal emulation services are not
 considered to be Framed Management protocols.

Nelson & Weber Standards Track [Page 3] RFC 5607 RADIUS NAS-Management Authorization July 2009

2. Terminology

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in RFC 2119 [RFC2119].
 This document uses terminology from RFC 2865 [RFC2865], RFC 2866
 [RFC2866], and RFC 5176 [RFC5176].
 The term "integrity protection", as used in this document, is *not*
 the same as "authentication", as used in SNMP.  Integrity protection
 requires the sharing of cryptographic keys, but it does not require
 authenticated principals.  Integrity protection could be used, for
 example, with anonymous Diffie-Hellman key agreement.  In SNMP, the
 proof of identity of the principals (authentication) is conflated
 with tamper-resistance of the protected messages (integrity).  In
 this document, we assume that integrity protection and authentication
 are separate concerns.  Authentication is part of the base RADIUS
 protocol.
 SNMP uses the terms "auth" and "noAuth", as well as "priv" and
 "noPriv".  There is no analog to auth or noAuth in this document.  In
 this document, we are assuming that authentication always occurs when
 it is required, i.e., as a prerequisite to provisioning of access via
 an Access-Accept packet.

3. Overview

 To support the authorization and provisioning of Framed Management
 access to managed entities, this document introduces a new value for
 the Service-Type (6) Attribute [RFC2865] and one new attribute.  The
 new value for the Service-Type (6) Attribute is Framed-Management
 (18), used for remote device management via a Framed Management
 protocol.  The new attribute is Framed-Management-Protocol (133), the
 value of which specifies a particular protocol for use in the remote
 management session.
 Two new attributes are introduced in this document in support of
 granular management access rights or command privilege levels.  The
 Management-Policy-Id (135) Attribute provides a text string
 specifying a policy name of local scope, that is assumed to have been
 pre-provisioned on the NAS.  This use of an attribute to specify use
 of a pre-provisioned policy is similar to the Filter-Id (11)
 Attribute defined in [RFC2865] Section 5.11.
 The local application of the Management-Policy-Id (135) Attribute
 within the managed entity may take the form of (a) one of an
 enumeration of command privilege levels, (b) a mapping into an SNMP

Nelson & Weber Standards Track [Page 4] RFC 5607 RADIUS NAS-Management Authorization July 2009

 Access Control Model, such as the View-Based Access Control Model
 (VACM) [RFC3415], or (c) some other set of management access policy
 rules that is mutually understood by the managed entity and the
 remote management application.  Examples are given in Section 8.
 The Management-Privilege-Level (136) Attribute contains an integer-
 valued management privilege level indication.  This attribute serves
 to modify or augment the management permissions provided by the NAS-
 Prompt (7) value of the Service-Type (6) Attribute, and thus applies
 to CLI management.
 To enable management security requirements to be specified, the
 Management-Transport-Protection (134) Attribute is introduced.  The
 value of this attribute indicates the minimum level of secure
 transport protocol protection required for the provisioning of NAS-
 Prompt (7), Administrative (6), or Framed-Management (18) service.

4. Domain of Applicability

 Most of the RADIUS attributes defined in this document have broad
 applicability for provisioning local and remote management access to
 NAS devices.  However, those attributes that provision remote access
 over Framed Management protocols and over secure transports have
 special considerations.  This document does not specify the details
 of the integration of these protocols with a RADIUS client in the NAS
 implementation.  However, there are functional requirements for
 correct application of Framed Management protocols and/or secure
 transport protocols that will limit the selection of such protocols
 that can be considered for use with RADIUS.  Since the RADIUS user
 credentials are typically obtained by the RADIUS client from the
 secure transport protocol server or the Framed Management protocol
 server, the protocol, and its implementation in the NAS, MUST support
 forms of credentials that are compatible with the authentication
 methods supported by RADIUS.
 RADIUS currently supports the following user authentication methods,
 although others may be added in the future:
 o  Password - RFC 2865
 o  CHAP (Challenge Handshake Authentication Protocol) - RFC 2865
 o  ARAP (Apple Remote Access Protocol) - RFC 2869
 o  EAP (Extensible Authentication Protocol) - RFC 2869, RFC 3579
 o  HTTP Digest - RFC 5090

Nelson & Weber Standards Track [Page 5] RFC 5607 RADIUS NAS-Management Authorization July 2009

 The remote management protocols selected for use with the RADIUS
 remote NAS management sessions, for example, those described in
 Section 6.1, and the secure transport protocols selected to meet the
 protection requirements, as described in Section 6.2, obviously need
 to support user authentication methods that are compatible with those
 that exist in RADIUS.  The RADIUS authentication methods most likely
 usable with these protocols are Password, CHAP, and possibly HTTP
 Digest, with Password being the distinct common denominator.  There
 are many secure transports that support other, more robust,
 authentication mechanisms, such as public key.  RADIUS has no support
 for public key authentication, except within the context of an EAP
 Method.  The applicability statement for EAP indicates that it is not
 intended for use as an application-layer authentication mechanism, so
 its use with the mechanisms described in this document is NOT
 RECOMMENDED.  In some cases, Password may be the only compatible
 RADIUS authentication method available.

5. New Values for Existing RADIUS Attributes

5.1. Service-Type

 The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865
 [RFC2865].  This document defines a new value of the Service-Type
 Attribute, as follows:
    18   Framed-Management
 The semantics of the Framed-Management service are as follows:
    Framed-Management   A Framed Management protocol session should
                        be started on the NAS.

6. New RADIUS Attributes

 This document defines four new RADIUS attributes related to
 management authorization.

6.1. Framed-Management-Protocol

 The Framed-Management-Protocol (133) Attribute indicates the
 application-layer management protocol to be used for Framed
 Management access.  It MAY be used in both Access-Request and Access-
 Accept packets.  This attribute is used in conjunction with a
 Service-Type (6) Attribute with the value of Framed-Management (18).
 It is RECOMMENDED that the NAS include an appropriately valued
 Framed-Management-Protocol (133) Attribute in an Access-Request
 packet, indicating the type of management access being requested.  It

Nelson & Weber Standards Track [Page 6] RFC 5607 RADIUS NAS-Management Authorization July 2009

 is further RECOMMENDED that the NAS include a Service-Type (6)
 Attribute with the value Framed-Management (18) in the same Access-
 Request packet.  The RADIUS server MAY use these attributes as a hint
 in making its authorization decision.
 The RADIUS server MAY include a Framed-Management-Protocol (133)
 Attribute in an Access-Accept packet that also includes a Service-
 Type (6) Attribute with a value of Framed-Management (18), when the
 RADIUS server chooses to enforce a management access policy for the
 authenticated user that dictates one form of management access in
 preference to others.
 When a NAS receives a Framed-Management-Protocol (133) Attribute in
 an Access-Accept packet, it MUST deliver that specified form of
 management access or disconnect the session.  If the NAS does not
 support the provisioned management application-layer protocol, or the
 management access protocol requested by the user does not match that
 of the Framed-Management-Protocol (133) Attribute in the Access-
 Accept packet, the NAS MUST treat the Access-Accept packet as if it
 had been an Access-Reject.
 A summary of the Framed-Management-Protocol (133) Attribute format is
 shown below.  The fields are transmitted from left to right.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Type      |    Length     |             Value
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
               Value (cont)         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Type
       133 for Framed-Management-Protocol.
    Length
       6

Nelson & Weber Standards Track [Page 7] RFC 5607 RADIUS NAS-Management Authorization July 2009

    Value
       The Value field is a four-octet enumerated value.
       1      SNMP
       2      Web-based
       3      NETCONF
       4      FTP
       5      TFTP
       6      SFTP
       7      RCP
       8      SCP
 All other values are reserved for IANA allocation subject to the
 provisions of Section 11.
 The acronyms used in the above table expand as follows:
 o  SNMP: Simple Network Management Protocol [RFC3411], [RFC3412],
    [RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418].
 o  Web-based: Use of an embedded web server in the NAS for management
    via a generic web browser client.  The interface presented to the
    administrator may be graphical, tabular, or textual.  The protocol
    is HTML over HTTP.  The protocol may optionally be HTML over
    HTTPS, i.e., using HTTP over TLS [HTML] [RFC2616].
 o  NETCONF: Management via the NETCONF protocol using XML over
    supported transports (e.g., SSH, BEEP, SOAP).  As secure transport
    profiles are defined for NETCONF, the list of transport options
    may expand [RFC4741], [RFC4742], [RFC4743], [RFC4744].
 o  FTP: File Transfer Protocol, used to transfer configuration files
    to and from the NAS [RFC0959].
 o  TFTP: Trivial File Transfer Protocol, used to transfer
    configuration files to and from the NAS [RFC1350].
 o  SFTP: SSH File Transfer Protocol, used to securely transfer
    configuration files to and from the NAS.  SFTP uses the services
    of SSH [SFTP].  See also Section 3.7, "SSH and File Transfers" of
    [SSH].  Additional information on the "sftp" program may typically
    be found in the online documentation ("man" pages) of Unix
    systems.

Nelson & Weber Standards Track [Page 8] RFC 5607 RADIUS NAS-Management Authorization July 2009

 o  RCP: Remote CoPy file copy utility (Unix-based), used to transfer
    configuration files to and from the NAS.  See Section 3.7, "SSH
    and File Transfers", of [SSH].  Additional information on the
    "rcp" program may typically be found in the online documentation
    ("man" pages) of Unix systems.
 o  SCP: Secure CoPy file copy utility (Unix-based), used to transfer
    configuration files to and from the NAS.  The "scp" program is a
    simple wrapper around SSH.  It's basically a patched BSD Unix
    "rcp", which uses ssh to do the data transfer (instead of using
    "rcmd").  See Section 3.7, "SSH and File Transfers", of [SSH].
    Additional information on the "scp" program may typically be found
    in the online documentation ("man" pages) of Unix systems.

6.2. Management-Transport-Protection

 The Management-Transport-Protection (134) Attribute specifies the
 minimum level of protection that is required for a protected
 transport used with the Framed or non-Framed Management access
 session.  The protected transport used by the NAS MAY provide a
 greater level of protection, but MUST NOT provide a lower level of
 protection.
 When a secure form of non-Framed Management access is specified, it
 means that the remote terminal session is encapsulated in some form
 of protected transport, or tunnel.  It may also mean that an explicit
 secure mode of operation is required, when the Framed Management
 protocol contains an intrinsic secure mode of operation.  The
 Management-Transport-Protection (134) Attribute does not apply to CLI
 access via a local serial port, or other non-remote connection.
 When a secure form of Framed Management access is specified, it means
 that the application-layer management protocol is encapsulated in
 some form of protected transport, or tunnel.  It may also mean that
 an explicit secure mode of operation is required, when the Framed
 Management protocol contains an intrinsic secure mode of operation.
 A value of "No Protection (1)" indicates that a secure transport
 protocol is not required, and that the NAS SHOULD accept a connection
 over any transport associated with the application-layer management
 protocol.  The definitions of management application to transport
 bindings are defined in the relevant documents that specify those
 management application protocols.  The same "No Protection" semantics
 are conveyed by omitting this attribute from an Access-Accept packet.
 Specific protected transport protocols, cipher suites, key agreement
 methods, or authentication methods are not specified by this
 attribute.  Such provisioning is beyond the scope of this document.

Nelson & Weber Standards Track [Page 9] RFC 5607 RADIUS NAS-Management Authorization July 2009

 It is RECOMMENDED that the NAS include an appropriately valued
 Management-Transport-Protection (134) Attribute in an Access-Request
 packet, indicating the level of transport protection for the
 management access being requested, when that information is available
 to the RADIUS client.  The RADIUS server MAY use this attribute as a
 hint in making its authorization decision.
 The RADIUS server MAY include a Management-Transport-Protection (134)
 Attribute in an Access-Accept packet that also includes a Service-
 Type (6) Attribute with a value of Framed-Management (18), when the
 RADIUS server chooses to enforce a management access security policy
 for the authenticated user that dictates a minimum level of transport
 security.
 When a NAS receives a Management-Transport-Protection (134) Attribute
 in an Access-Accept packet, it MUST deliver the management access
 over a transport with equal or better protection characteristics or
 disconnect the session.  If the NAS does not support protected
 management transport protocols, or the level of protection available
 does not match that of the Management-Transport-Protection (134)
 Attribute in the Access-Accept packet, the NAS MUST treat the
 response packet as if it had been an Access-Reject.
 A summary of the Management-Transport-Protection (134) Attribute
 format is shown below.  The fields are transmitted from left to
 right.
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Type      |    Length     |             Value
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
               Value (cont)         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Type
       134 for Management-Transport-Protection.
    Length
       6

Nelson & Weber Standards Track [Page 10] RFC 5607 RADIUS NAS-Management Authorization July 2009

    Value
       The Value field is a four-octet enumerated value.
       1      No-Protection
       2      Integrity-Protection
       3      Integrity-Confidentiality-Protection
 All other values are reserved for IANA allocation subject to the
 provisions of Section 11.
 The names used in the above table are elaborated as follows:
 o  No-Protection: No transport protection is required.  Accept
    connections via any supported transport.
 o  Integrity-Protection: The management transport MUST provide
    Integrity Protection, i.e., protection from unauthorized
    modification, using a cryptographic checksum.
 o  Integrity-Confidentiality-Protection: The management transport
    MUST provide both Integrity Protection and Confidentiality
    Protection, i.e., protection from unauthorized modification, using
    a cryptographic checksum, and protection from unauthorized
    disclosure, using encryption.
 The configuration or negotiation of acceptable algorithms, modes, and
 credentials for the cryptographic protection mechanisms used in
 implementing protected management transports is outside the scope of
 this document.  Many such mechanisms have standardized methods of
 configuration and key management.

6.3. Management-Policy-Id

 The Management-Policy-Id (135) Attribute indicates the name of the
 management access policy for this user.  Zero or one Management-
 Policy-Id (135) Attributes MAY be sent in an Access-Accept packet.
 Identifying a policy by name allows the policy to be used on
 different NASes without regard to implementation details.
 Multiple forms of management access rules may be expressed by the
 underlying named policy, the definition of which is beyond the scope
 of this document.  The management access policy MAY be applied
 contextually, based on the nature of the management access method.
 For example, some named policies may only be valid for application to
 NAS-Prompt (7) services and some other policies may only be valid for
 SNMP.

Nelson & Weber Standards Track [Page 11] RFC 5607 RADIUS NAS-Management Authorization July 2009

 The management access policy named in this attribute, received in an
 Access-Accept packet, MUST be applied to the session authorized by
 the Access-Accept.  If the NAS supports this attribute, but the
 policy name is unknown, or if the RADIUS client is able to determine
 that the policy rules are incorrectly formatted, the NAS MUST treat
 the Access-Accept packet as if it had been an Access-Reject.
 No precedence relationship is defined for multiple occurrences of the
 Management-Policy-Id (135) Attribute.  NAS behavior in such cases is
 undefined.  Therefore, two or more occurrences of this attribute
 SHOULD NOT be included in an Access-Accept or CoA-Request (Change-of-
 Authorization).  In the absence of further specification defining
 some sort of precedence relationship, it is not possible to guarantee
 multi-vendor interoperability when using multiple instances of this
 attribute in a single Access-Accept or CoA-Request packet.
 The content of the Management-Policy-Id (135) Attribute is expected
 to be the name of a management access policy of local significance to
 the NAS, within a namespace of significance to the NAS.  In this
 regard, the behavior is similar to that for the Filter-Id (11)
 Attribute.  The policy names and rules are committed to the local
 configuration data-store of the NAS, and are provisioned by means
 beyond the scope of this document, such as via SNMP, NETCONF, or CLI.
 The namespace used in the Management-Policy-Id (135) Attribute is
 simple and monolithic.  There is no explicit or implicit structure or
 hierarchy.  For example, in the text string "example.com", the "."
 (period or dot) is just another character.  It is expected that text
 string matching will be performed without parsing the text string
 into any sub-fields.
 Overloading or subdividing this simple name with multi-part
 specifiers (e.g., Access=remote, Level=7) is likely to lead to poor
 multi-vendor interoperability and SHOULD NOT be utilized.  If a
 simple, unstructured policy name is not sufficient, it is RECOMMENDED
 that a Vendor Specific (26) Attribute be used instead, rather than
 overloading the semantics of Management-Policy-Id.

Nelson & Weber Standards Track [Page 12] RFC 5607 RADIUS NAS-Management Authorization July 2009

 A summary of the Management-Policy-Id (135) Attribute format is shown
 below.  The fields are transmitted from left to right.
     0                   1                   2
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    |     Type      |    Length     |  Text ...
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    Type
       135 for Management-Policy-Id.
    Length
       >= 3
    Text
       The Text field is one or more octets, and its contents are
       implementation dependent.  It is intended to be human
       readable and the contents MUST NOT be parsed by the receiver;
       the contents can only be used to look up locally defined
       policies.  It is RECOMMENDED that the message contain UTF-8
       encoded 10646 [RFC3629] characters.

6.4. Management-Privilege-Level

 The Management-Privilege-Level (136) Attribute indicates the integer-
 valued privilege level to be assigned for management access for the
 authenticated user.  Many NASes provide the notion of differentiated
 management privilege levels denoted by an integer value.  The
 specific access rights conferred by each value are implementation
 dependent.  It MAY be used in both Access-Request and Access-Accept
 packets.
 The mapping of integer values for this attribute to specific
 collections of management access rights or permissions on the NAS is
 vendor and implementation specific.  Such mapping is often a user-
 configurable feature.  It's RECOMMENDED that greater numeric values
 imply greater privilege.  However, it would be a mistake to assume
 that this recommendation always holds.
 The management access level indicated in this attribute, received in
 an Access-Accept packet, MUST be applied to the session authorized by
 the Access-Accept.  If the NAS supports this attribute, but the
 privilege level is unknown, the NAS MUST treat the Access-Accept
 packet as if it had been an Access-Reject.

Nelson & Weber Standards Track [Page 13] RFC 5607 RADIUS NAS-Management Authorization July 2009

 A summary of the Management-Privilege-Level (136) Attribute format is
 show below.  The fields are transmitted from left to right.
      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |    Length     |             Value
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                Value (cont)         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     Type
        136 for Management-Privilege-Level.
     Length
        6
     Value
        The Value field is a four-octet Integer, denoting a management
        privilege level.
 It is RECOMMENDED to limit use of the Management-Privilege-Level
 (136) Attribute to sessions where the Service-Type (6) Attribute has
 a value of NAS-Prompt (7) (not Administrative).  Typically, NASes
 treat NAS-Prompt as the minimal privilege CLI service and
 Administrative as full privilege.  Using the Management-Privilege-
 Level (136) Attribute with a Service-Type (6) Attribute having a
 value of NAS-Prompt (7) will have the effect of increasing the
 minimum privilege level.  Conversely, it is NOT RECOMMENDED to use
 this attribute with a Service-Type (6) Attribute with a value of
 Administrative (6), which may require decreasing the maximum
 privilege level.
 It is NOT RECOMMENDED to use the Management-Privilege-Level (136)
 Attribute in combination with a Management-Policy-Id (135) Attribute
 or for management access methods other than interactive CLI.  The
 behavior resulting from such an overlay of management access control
 provisioning is not defined by this document, and in the absence of
 further specification, is likely to lead to unexpected behaviors,
 especially in multi-vendor environments.

Nelson & Weber Standards Track [Page 14] RFC 5607 RADIUS NAS-Management Authorization July 2009

7. Use with Dynamic Authorization

 It is entirely OPTIONAL for the NAS management authorization
 attributes specified in this document to be used in conjunction with
 Dynamic Authorization extensions to RADIUS [RFC5176].  When such
 usage occurs, those attributes MAY be used as listed in the Table of
 Attributes in Section 10.
 Some guidance on how to identify existing management sessions on a
 NAS for the purposes of Dynamic Authorization is useful.  The primary
 session identifiers SHOULD be User-Name (1) and Service-Type (6).  To
 accommodate instances when that information alone does not uniquely
 identify a session, a NAS supporting Dynamic Authorization SHOULD
 maintain one or more internal session identifiers that can be
 represented as RADIUS attributes.  Examples of such attributes
 include Acct-Session-Id (44), Acct-Multi-Session-Id (50), NAS-Port
 (5), or NAS-Port-Id (87).  In the case of a remote management
 session, common identifier values might include things such as the
 remote IP address and remote TCP port number, or the file descriptor
 value for use with the open socket.  Any such identifier is obviously
 transient in nature, and implementations SHOULD take care to avoid
 and/or properly handle duplicate or stale values.
 In order for the session identification attributes to be available to
 the Dynamic Authorization Client, a NAS supporting Dynamic
 Authorization for management sessions SHOULD include those session
 identification attributes in the Access-Request message for each such
 session.  Additional discussion of session identification attribute
 usage may be found in Section 3 of [RFC5176].

8. Examples of Attribute Groupings

 1.  Unprotected CLI access, via the local console, to the "super-
     user" access level:
  • Service-Type (6) = Administrative (6)
  • NAS-Port-Type (61) = Async (0)
  • Management-Transport-Protection (134) = No-Protection (1)
 2.  Unprotected CLI access, via a remote console, to the "super-user"
     access level:
  • Service-Type (6) = Administrative (6)
  • NAS-Port-Type (61) = Virtual (5)

Nelson & Weber Standards Track [Page 15] RFC 5607 RADIUS NAS-Management Authorization July 2009

  • Management-Transport-Protection (134) = No-Protection (1)
 3.  CLI access, via a fully protected secure remote terminal service
     to the non-privileged user access level:
  • Service-Type (6) = NAS-Prompt (7)
  • NAS-Port-Type (61) = Virtual (5)
  • Management-Transport-Protection (134) = Integrity-

Confidentiality-Protection (3)

 4.  CLI access, via a fully protected secure remote terminal service,
     to a custom management access level, defined by a policy:
  • Service-Type (6) = NAS-Prompt (7)
  • NAS-Port-Type (61) = Virtual (5)
  • Management-Transport-Protection (134) = Integrity-

Confidentiality-Protection (3)

  • Management-Policy-Id (135) = "Network Administrator"
 5.  CLI access, via a fully protected secure remote terminal service,
     with a management privilege level of 15:
  • Service-Type (6) = NAS-Prompt (7)
  • NAS-Port-Type (61) = Virtual (5)
  • Management-Transport-Protection (134) = Integrity-

Confidentiality-Protection (3)

  • Management-Privilege-Level (136) = 15
 6.  SNMP access, using an Access Control Model specifier, such as a
     custom VACM View, defined by a policy:
  • Service-Type (6) = Framed-Management (18)
  • NAS-Port-Type (61) = Virtual (5)
  • Framed-Management-Protocol (133) = SNMP (1)
  • Management-Policy-Id (135) = "SNMP Network Administrator View"

Nelson & Weber Standards Track [Page 16] RFC 5607 RADIUS NAS-Management Authorization July 2009

     There is currently no standardized way of implementing this
     management policy mapping within SNMP.  Such mechanisms are the
     topic of current research.
 7.  SNMP fully protected access:
  • Service-Type (6) = Framed-Management (18)
  • NAS-Port-Type (61) = Virtual (5)
  • Framed-Management-Protocol (133) = SNMP (1)
  • Management-Transport-Protection (134) = Integrity-

Confidentiality-Protection (3)

 8.  Web (HTTP/HTML) access:
  • Service-Type (6) = Framed-Management (18)
  • NAS-Port-Type (61) = Virtual (5)
  • Framed-Management-Protocol (133) = Web-based (2)
 9.  Secure web access, using a custom management access level,
     defined by a policy:
  • Service-Type (6) = Framed-Management (18)
  • NAS-Port-Type (61) = Virtual (5)
  • Framed-Management-Protocol (133) = Web-based (2)
  • Management-Transport-Protection (134) = Integrity-

Confidentiality-Protection (3)

  • Management-Policy-Id (135) = "Read-only web access"

9. Diameter Translation Considerations

 When used in Diameter, the attributes defined in this specification
 can be used as Diameter attribute-value pairs (AVPs) from the Code
 space 1-255 (RADIUS attribute compatibility space).  No additional
 Diameter Code values are therefore allocated.  The data types and
 flag rules for the attributes are as follows:

Nelson & Weber Standards Track [Page 17] RFC 5607 RADIUS NAS-Management Authorization July 2009

                                  +---------------------+
                                  |    AVP Flag rules   |
                                  |----+-----+----+-----|----+
                                  |    |     SHOULD MUST|    |
 Attribute Name        Value Type |MUST| MAY | NOT|  NOT|Encr|
 ---------------------------------|----+-----+----+-----|----|
 Service-Type                     |    |     |    |     |    |
                       Enumerated | M  |  P  |    |  V  | Y  |
 Framed-Management-Protocol       |    |     |    |     |    |
                       Enumerated | M  |  P  |    |  V  | Y  |
 Management-Transport-Protection  |    |     |    |     |    |
                       Enumerated | M  |  P  |    |  V  | Y  |
 Management-Policy-Id             |    |     |    |     |    |
                       UTF8String | M  |  P  |    |  V  | Y  |
 Management-Privilege-Level       |    |     |    |     |    |
                       Integer    | M  |  P  |    |  V  | Y  |
 ---------------------------------|----+-----+----+-----|----|
 The attributes in this specification have no special translation
 requirements for Diameter to RADIUS or RADIUS to Diameter gateways;
 they are copied as is, except for changes relating to headers,
 alignment, and padding.  See also [RFC3588], Section 4.1, and
 [RFC4005], Section 9.
 What this specification says about the applicability of the
 attributes for RADIUS Access-Request packets applies in Diameter to
 AA-Request [RFC4005].
 What is said about Access-Accept applies in Diameter to AA-Answer
 messages that indicate success.

10. Table of Attributes

 The following table provides a guide to which attributes may be found
 in which kinds of packets, and in what quantity.
 Access Messages
 Request Accept Reject Challenge  #     Attribute
 ---------------------------------------------------------------------
 0-1     0-1      0        0     133   Framed-Management-Protocol
 0-1     0-1      0        0     134   Management-Transport-Protection
 0       0-1      0        0     135   Management-Policy-Id
 0       0-1      0        0     136   Management-Privilege-Level

Nelson & Weber Standards Track [Page 18] RFC 5607 RADIUS NAS-Management Authorization July 2009

 Accounting Messages
 Request Response   #     Attribute
 ---------------------------------------------------------------------
 0-1     0         133   Framed-Management-Protocol
 0-1     0         134   Management-Transport-Protection
 0-1     0         135   Management-Policy-Id
 0-1     0         136   Management-Privilege-Level
 Change-of-Authorization Messages
 Request  ACK   NAK   #     Attribute
 --------------------------------------------------------------------
 0       0     0     133   Framed-Management-Protocol
 0       0     0     134   Management-Transport-Protection
 0-1     0     0     135   Management-Policy-Id (Note 1)
 0-1     0     0     136   Management-Privilege-Level (Note 1)
 Disconnect Messages
 Request  ACK   NAK   #     Attribute
 ---------------------------------------------------------------------
 0        0     0     133   Framed-Management-Protocol
 0        0     0     134   Management-Transport-Protection
 0        0     0     135   Management-Policy-Id
 0        0     0     136   Management-Privilege-Level
 (Note 1) When included within a CoA-Request, these attributes
   represent an authorization change request.  When one of these
   attributes is omitted from a CoA-Request, the NAS assumes that the
   attribute value is to remain unchanged.  Attributes included in a
   CoA-Request replace all existing values of the same attribute(s).
 The following table defines the meaning of the above table entries.
     0    This attribute MUST NOT be present in a packet.
     0+   Zero or more instances of this attribute MAY be present in
          a packet.
     0-1  Zero or one instance of this attribute MAY be present in
          a packet.
     1    Exactly one instance of this attribute MUST be present in
          a packet.

11. IANA Considerations

 The following numbers have been assigned in the RADIUS Attribute
 Types registry.

Nelson & Weber Standards Track [Page 19] RFC 5607 RADIUS NAS-Management Authorization July 2009

 o  New enumerated value for the existing Service-Type Attribute:
  • Framed-Management (18)
 o  New RADIUS Attribute Types:
  • Framed-Management-Protocol (133)
  • Management-Transport-Protection (134)
  • Management-Policy-Id (135)
  • Management-Privilege-Level (136)
 The enumerated values of the newly assigned RADIUS Attribute Types as
 defined in this document were assigned at the same time as the new
 Attribute Types.
 For the Framed-Management-Protocol Attribute:
       1      SNMP
       2      Web-based
       3      NETCONF
       4      FTP
       5      TFTP
       6      SFTP
       7      RCP
       8      SCP
 For the Management-Transport-Protection Attribute:
       1      No-Protection
       2      Integrity-Protection
       3      Integrity-Confidentiality-Protection
 Assignments of additional enumerated values for the RADIUS attributes
 defined in this document are to be processed as described in
 [RFC3575], subject to the additional requirement of a published
 specification.

12. Security Considerations

12.1. General Considerations

 This specification describes the use of RADIUS and Diameter for
 purposes of authentication, authorization, and accounting for
 management access to devices within networks.  RADIUS threats and
 security issues for this application are described in [RFC3579] and

Nelson & Weber Standards Track [Page 20] RFC 5607 RADIUS NAS-Management Authorization July 2009

 [RFC3580]; security issues encountered in roaming are described in
 [RFC2607].  For Diameter, the security issues relating to this
 application are described in [RFC4005] and [RFC4072].
 This document specifies new attributes that can be included in
 existing RADIUS packets, which may be protected as described in
 [RFC3579] and [RFC5176].  In Diameter, the attributes are protected
 as specified in [RFC3588].  See those documents for a more detailed
 description.
 The security mechanisms supported in RADIUS and Diameter are focused
 on preventing an attacker from spoofing packets or modifying packets
 in transit.  They do not prevent an authorized RADIUS/Diameter server
 or proxy from inserting attributes with malicious intent.
 A legacy NAS may not recognize the attributes in this document that
 supplement the provisioning of CLI management access.  If the value
 of the Service-Type Attribute is NAS-Prompt or Administrative, the
 legacy NAS may silently discard such attributes, while permitting the
 user to access the CLI management interface(s) of the NAS.  This can
 lead to users improperly receiving authorized management access to
 the NAS, or access with greater levels of access rights than were
 intended.  RADIUS servers SHOULD attempt to ascertain whether or not
 the NAS supports these attributes before sending them in an Access-
 Accept message that provisions CLI access.
 It is possible that certain NAS implementations may not be able to
 determine the protection properties of the underlying transport
 protocol as specified by the Management-Transport-Protection
 Attribute.  This may be a limitation of the standard application
 programming interface of the underlying transport implementation or
 of the integration of the transport into the NAS implementation.  In
 either event, NASes conforming to this specification, which cannot
 determine the protection state of the remote management connection,
 MUST treat an Access-Accept message containing a Management-
 Transport-Protection Attribute containing a value other than No-
 Protection (1) as if it were an Access-Reject message, unless
 specifically overridden by local policy configuration.
 Use of the No-Protection (1) option for the Management-Transport-
 Protection (134) Attribute is NOT RECOMMENDED in any deployment where
 secure management or configuration is required.

Nelson & Weber Standards Track [Page 21] RFC 5607 RADIUS NAS-Management Authorization July 2009

12.2. RADIUS Proxy Operation Considerations

 The device management access authorization attributes presented in
 this document present certain considerations when used in RADIUS
 proxy environments.  These considerations are not different from
 those that exist in RFC 2865 [RFC2865] with respect to the Service-
 Type Attribute values of Administrative and NAS-Prompt.
 Most RADIUS proxy environments are also multi-party environments.  In
 multi-party proxy environments it is important to distinguish which
 entities have the authority to provision management access to the
 edge devices, i.e., NASes, and which entities only have authority to
 provision network access services of various sorts.
 It may be important that operators of the NAS are able to ensure that
 access to the CLI, or other management interfaces of the NAS, is only
 provisioned to their own employees or contractors.  One way for the
 NAS to enforce this requirement is to use only local, non-proxy
 RADIUS servers for management access requests.  Proxy RADIUS servers
 could be used for non-management access requests, based on local
 policy.  This "bifurcation" of RADIUS authentication and
 authorization is a simple case of separate administrative realms.
 The NAS may be designed so as to maintain separate lists of RADIUS
 servers for management AAA use and for non-management AAA use.
 An alternate method of enforcing this requirement would be for the
 first-hop RADIUS proxy server, operated by the owner of the NAS, to
 filter out any RADIUS attributes that provision management access
 rights that originate from "up-stream" proxy servers not operated by
 the NAS owner.  Access-Accept messages that provision such locally
 unauthorized management access MAY be treated as if they were an
 Access-Reject by the first-hop proxy server.
 An additional exposure present in proxy deployments is that sensitive
 user credentials, e.g., passwords, are likely to be available in
 cleartext form at each of the proxy servers.  Encrypted or hashed
 credentials are not subject to this risk, but password authentication
 is a very commonly used mechanism for management access
 authentication, and in RADIUS passwords are only protected on a hop-
 by-hop basis.  Malicious proxy servers could misuse this sensitive
 information.
 These issues are not of concern when all the RADIUS servers, local
 and proxy, used by the NAS are under the sole administrative control
 of the NAS owner.

Nelson & Weber Standards Track [Page 22] RFC 5607 RADIUS NAS-Management Authorization July 2009

13. Acknowledgments

 Many thanks to all reviewers, including Bernard Aboba, Alan DeKok,
 David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Hannes
 Tschofenig, Barney Wolff, and Glen Zorn.

14. References

14.1. Normative References

 [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
            Requirement Levels", BCP 14, RFC 2119, March 1997.
 [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
            "Remote Authentication Dial In User Service (RADIUS)",
            RFC 2865, June 2000.
 [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
            10646", STD 63, RFC 3629, November 2003.

14.2. Informative References

 [HTML]     Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01
            Specification, W3C", December 1999.
 [RFC0959]  Postel, J. and J. Reynolds, "File Transfer Protocol",
            STD 9, RFC 959, October 1985.
 [RFC1350]  Sollins, K., "The TFTP Protocol (Revision 2)", STD 33,
            RFC 1350, July 1992.
 [RFC2607]  Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
            Implementation in Roaming", RFC 2607, June 1999.
 [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
            Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
            Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
 [RFC2866]  Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
 [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
            Architecture for Describing Simple Network Management
            Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
            December 2002.

Nelson & Weber Standards Track [Page 23] RFC 5607 RADIUS NAS-Management Authorization July 2009

 [RFC3412]  Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
            "Message Processing and Dispatching for the Simple Network
            Management Protocol (SNMP)", STD 62, RFC 3412,
            December 2002.
 [RFC3413]  Levi, D., Meyer, P., and B. Stewart, "Simple Network
            Management Protocol (SNMP) Applications", STD 62,
            RFC 3413, December 2002.
 [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
            (USM) for version 3 of the Simple Network Management
            Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
 [RFC3415]  Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
            Access Control Model (VACM) for the Simple Network
            Management Protocol (SNMP)", STD 62, RFC 3415,
            December 2002.
 [RFC3416]  Presuhn, R., "Version 2 of the Protocol Operations for the
            Simple Network Management Protocol (SNMP)", STD 62,
            RFC 3416, December 2002.
 [RFC3417]  Presuhn, R., "Transport Mappings for the Simple Network
            Management Protocol (SNMP)", STD 62, RFC 3417,
            December 2002.
 [RFC3418]  Presuhn, R., "Management Information Base (MIB) for the
            Simple Network Management Protocol (SNMP)", STD 62,
            RFC 3418, December 2002.
 [RFC3575]  Aboba, B., "IANA Considerations for RADIUS (Remote
            Authentication Dial In User Service)", RFC 3575,
            July 2003.
 [RFC3579]  Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
            Dial In User Service) Support For Extensible
            Authentication Protocol (EAP)", RFC 3579, September 2003.
 [RFC3580]  Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
            "IEEE 802.1X Remote Authentication Dial In User Service
            (RADIUS) Usage Guidelines", RFC 3580, September 2003.
 [RFC3588]  Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
            Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
 [RFC4005]  Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
            "Diameter Network Access Server Application", RFC 4005,
            August 2005.

Nelson & Weber Standards Track [Page 24] RFC 5607 RADIUS NAS-Management Authorization July 2009

 [RFC4072]  Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
            Authentication Protocol (EAP) Application", RFC 4072,
            August 2005.
 [RFC4741]  Enns, R., "NETCONF Configuration Protocol", RFC 4741,
            December 2006.
 [RFC4742]  Wasserman, M. and T. Goddard, "Using the NETCONF
            Configuration Protocol over Secure SHell (SSH)", RFC 4742,
            December 2006.
 [RFC4743]  Goddard, T., "Using NETCONF over the Simple Object Access
            Protocol (SOAP)", RFC 4743, December 2006.
 [RFC4744]  Lear, E. and K. Crozier, "Using the NETCONF Protocol over
            the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744,
            December 2006.
 [RFC5176]  Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
            Aboba, "Dynamic Authorization Extensions to Remote
            Authentication Dial In User Service (RADIUS)", RFC 5176,
            January 2008.
 [SFTP]     Galbraith, J. and O. Saarenmaa, "SSH File Transfer
            Protocol", Work in Progress, July 2006.
 [SSH]      Barrett, D., Silverman, R., and R. Byrnes, "SSH, the
            Secure Shell: The Definitive Guide, Second Edition,
            O'Reilly and Associates", May 2005.

Authors' Addresses

 David B. Nelson
 Elbrys Networks, Inc.
 282 Corporate Drive
 Portsmouth, NH  03801
 USA
 EMail: dnelson@elbrysnetworks.com
 Greg Weber
 Individual Contributor
 Knoxville, TN  37932
 USA
 EMail: gdweber@gmail.com

Nelson & Weber Standards Track [Page 25]

/data/webs/external/dokuwiki/data/pages/rfc/rfc5607.txt · Last modified: 2009/07/27 08:53 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki