1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
|
Network Working Group D. Nelson
Request for Comments: 5607 Elbrys Networks, Inc.
Category: Standards Track G. Weber
Individual Contributor
July 2009
Remote Authentication Dial-In User Service (RADIUS) Authorization for
Network Access Server (NAS) Management
Abstract
This document specifies Remote Authentication Dial-In User Service
(RADIUS) attributes for authorizing management access to a Network
Access Server (NAS). Both local and remote management are supported,
with granular access rights and management privileges. Specific
provisions are made for remote management via Framed Management
protocols and for management access over a secure transport protocol.
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
Nelson & Weber Standards Track [Page 1]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Domain of Applicability . . . . . . . . . . . . . . . . . . . 5
5. New Values for Existing RADIUS Attributes . . . . . . . . . . 6
5.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . .6
6. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 6
6.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 6
6.2. Management-Transport-Protection . . . . . . . . . . . . . 9
6.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
6.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 13
7. Use with Dynamic Authorization . . . . . . . . . . . . . . . . 15
8. Examples of Attribute Groupings . . . . . . . . . . . . . . . 15
9. Diameter Translation Considerations . . . . . . . . . . . . . 17
10. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 18
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
12. Security Considerations . . . . . . . . . . . . . . . . . . . 20
12.1. General Considerations . . . . . . . . . . . . . . . . . . 20
12.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 22
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
14.1. Normative References . . . . . . . . . . . . . . . . . . . 23
14.2. Informative References . . . . . . . . . . . . . . . . . . 23
Nelson & Weber Standards Track [Page 2]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
1. Introduction
RFC 2865 [RFC2865] defines the NAS-Prompt (7) and Administrative (6)
values of the Service-Type (6) Attribute. Both of these values
provide access to the interactive, text-based Command Line Interface
(CLI) of the NAS, and were originally developed to control access to
the physical console port of the NAS, most often a serial port.
Remote access to the CLI of the NAS has been available in NAS
implementations for many years, using protocols such as Telnet,
Rlogin, and the remote terminal service of the Secure SHell (SSH).
In order to distinguish local, physical, console access from remote
access, the NAS-Port-Type (61) Attribute is generally included in
Access-Request and Access-Accept messages, along with the Service-
Type (6) Attribute, to indicate the form of access. A NAS-Port-Type
(61) Attribute with a value of Async (0) is used to signify a local
serial port connection, while a value of Virtual (5) is used to
signify a remote connection, via a remote terminal protocol. This
usage provides no selectivity among the various available remote
terminal protocols (e.g., Telnet, Rlogin, SSH, etc.).
Today, it is common for network devices to support more than the two
privilege levels for management access provided by the Service-Type
(6) Attribute with values of NAS-Prompt (7) (non-privileged) and
Administrative (6) (privileged). Also, other management mechanisms
may be used, such as Web-based management, the Simple Network
Management Protocol (SNMP), and the Network Configuration Protocol
(NETCONF). To provide support for these additional features, this
specification defines attributes for Framed Management protocols,
management protocol security, and management access privilege levels.
Remote management via the command line is carried over protocols such
as Telnet, Rlogin, and the remote terminal service of SSH. Since
these protocols are primarily for the delivery of terminal or
terminal emulation services, the term "Framed Management" is used to
describe management protocols supporting techniques other than the
command line. Typically, these mechanisms format management
information in a binary or textual encoding such as HTML, XML, or
ASN.1/BER. Examples include Web-based management (HTML over HTTP or
HTTPS), NETCONF (XML over SSH or BEEP or SOAP), and SNMP (SMI over
ASN.1/BER). Command line interface, menu interface, or other text-
based (e.g., ASCII or UTF-8) terminal emulation services are not
considered to be Framed Management protocols.
Nelson & Weber Standards Track [Page 3]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses terminology from RFC 2865 [RFC2865], RFC 2866
[RFC2866], and RFC 5176 [RFC5176].
The term "integrity protection", as used in this document, is *not*
the same as "authentication", as used in SNMP. Integrity protection
requires the sharing of cryptographic keys, but it does not require
authenticated principals. Integrity protection could be used, for
example, with anonymous Diffie-Hellman key agreement. In SNMP, the
proof of identity of the principals (authentication) is conflated
with tamper-resistance of the protected messages (integrity). In
this document, we assume that integrity protection and authentication
are separate concerns. Authentication is part of the base RADIUS
protocol.
SNMP uses the terms "auth" and "noAuth", as well as "priv" and
"noPriv". There is no analog to auth or noAuth in this document. In
this document, we are assuming that authentication always occurs when
it is required, i.e., as a prerequisite to provisioning of access via
an Access-Accept packet.
3. Overview
To support the authorization and provisioning of Framed Management
access to managed entities, this document introduces a new value for
the Service-Type (6) Attribute [RFC2865] and one new attribute. The
new value for the Service-Type (6) Attribute is Framed-Management
(18), used for remote device management via a Framed Management
protocol. The new attribute is Framed-Management-Protocol (133), the
value of which specifies a particular protocol for use in the remote
management session.
Two new attributes are introduced in this document in support of
granular management access rights or command privilege levels. The
Management-Policy-Id (135) Attribute provides a text string
specifying a policy name of local scope, that is assumed to have been
pre-provisioned on the NAS. This use of an attribute to specify use
of a pre-provisioned policy is similar to the Filter-Id (11)
Attribute defined in [RFC2865] Section 5.11.
The local application of the Management-Policy-Id (135) Attribute
within the managed entity may take the form of (a) one of an
enumeration of command privilege levels, (b) a mapping into an SNMP
Nelson & Weber Standards Track [Page 4]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
Access Control Model, such as the View-Based Access Control Model
(VACM) [RFC3415], or (c) some other set of management access policy
rules that is mutually understood by the managed entity and the
remote management application. Examples are given in Section 8.
The Management-Privilege-Level (136) Attribute contains an integer-
valued management privilege level indication. This attribute serves
to modify or augment the management permissions provided by the NAS-
Prompt (7) value of the Service-Type (6) Attribute, and thus applies
to CLI management.
To enable management security requirements to be specified, the
Management-Transport-Protection (134) Attribute is introduced. The
value of this attribute indicates the minimum level of secure
transport protocol protection required for the provisioning of NAS-
Prompt (7), Administrative (6), or Framed-Management (18) service.
4. Domain of Applicability
Most of the RADIUS attributes defined in this document have broad
applicability for provisioning local and remote management access to
NAS devices. However, those attributes that provision remote access
over Framed Management protocols and over secure transports have
special considerations. This document does not specify the details
of the integration of these protocols with a RADIUS client in the NAS
implementation. However, there are functional requirements for
correct application of Framed Management protocols and/or secure
transport protocols that will limit the selection of such protocols
that can be considered for use with RADIUS. Since the RADIUS user
credentials are typically obtained by the RADIUS client from the
secure transport protocol server or the Framed Management protocol
server, the protocol, and its implementation in the NAS, MUST support
forms of credentials that are compatible with the authentication
methods supported by RADIUS.
RADIUS currently supports the following user authentication methods,
although others may be added in the future:
o Password - RFC 2865
o CHAP (Challenge Handshake Authentication Protocol) - RFC 2865
o ARAP (Apple Remote Access Protocol) - RFC 2869
o EAP (Extensible Authentication Protocol) - RFC 2869, RFC 3579
o HTTP Digest - RFC 5090
Nelson & Weber Standards Track [Page 5]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
The remote management protocols selected for use with the RADIUS
remote NAS management sessions, for example, those described in
Section 6.1, and the secure transport protocols selected to meet the
protection requirements, as described in Section 6.2, obviously need
to support user authentication methods that are compatible with those
that exist in RADIUS. The RADIUS authentication methods most likely
usable with these protocols are Password, CHAP, and possibly HTTP
Digest, with Password being the distinct common denominator. There
are many secure transports that support other, more robust,
authentication mechanisms, such as public key. RADIUS has no support
for public key authentication, except within the context of an EAP
Method. The applicability statement for EAP indicates that it is not
intended for use as an application-layer authentication mechanism, so
its use with the mechanisms described in this document is NOT
RECOMMENDED. In some cases, Password may be the only compatible
RADIUS authentication method available.
5. New Values for Existing RADIUS Attributes
5.1. Service-Type
The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865
[RFC2865]. This document defines a new value of the Service-Type
Attribute, as follows:
18 Framed-Management
The semantics of the Framed-Management service are as follows:
Framed-Management A Framed Management protocol session should
be started on the NAS.
6. New RADIUS Attributes
This document defines four new RADIUS attributes related to
management authorization.
6.1. Framed-Management-Protocol
The Framed-Management-Protocol (133) Attribute indicates the
application-layer management protocol to be used for Framed
Management access. It MAY be used in both Access-Request and Access-
Accept packets. This attribute is used in conjunction with a
Service-Type (6) Attribute with the value of Framed-Management (18).
It is RECOMMENDED that the NAS include an appropriately valued
Framed-Management-Protocol (133) Attribute in an Access-Request
packet, indicating the type of management access being requested. It
Nelson & Weber Standards Track [Page 6]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
is further RECOMMENDED that the NAS include a Service-Type (6)
Attribute with the value Framed-Management (18) in the same Access-
Request packet. The RADIUS server MAY use these attributes as a hint
in making its authorization decision.
The RADIUS server MAY include a Framed-Management-Protocol (133)
Attribute in an Access-Accept packet that also includes a Service-
Type (6) Attribute with a value of Framed-Management (18), when the
RADIUS server chooses to enforce a management access policy for the
authenticated user that dictates one form of management access in
preference to others.
When a NAS receives a Framed-Management-Protocol (133) Attribute in
an Access-Accept packet, it MUST deliver that specified form of
management access or disconnect the session. If the NAS does not
support the provisioned management application-layer protocol, or the
management access protocol requested by the user does not match that
of the Framed-Management-Protocol (133) Attribute in the Access-
Accept packet, the NAS MUST treat the Access-Accept packet as if it
had been an Access-Reject.
A summary of the Framed-Management-Protocol (133) Attribute format is
shown below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
133 for Framed-Management-Protocol.
Length
6
Nelson & Weber Standards Track [Page 7]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
Value
The Value field is a four-octet enumerated value.
1 SNMP
2 Web-based
3 NETCONF
4 FTP
5 TFTP
6 SFTP
7 RCP
8 SCP
All other values are reserved for IANA allocation subject to the
provisions of Section 11.
The acronyms used in the above table expand as follows:
o SNMP: Simple Network Management Protocol [RFC3411], [RFC3412],
[RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418].
o Web-based: Use of an embedded web server in the NAS for management
via a generic web browser client. The interface presented to the
administrator may be graphical, tabular, or textual. The protocol
is HTML over HTTP. The protocol may optionally be HTML over
HTTPS, i.e., using HTTP over TLS [HTML] [RFC2616].
o NETCONF: Management via the NETCONF protocol using XML over
supported transports (e.g., SSH, BEEP, SOAP). As secure transport
profiles are defined for NETCONF, the list of transport options
may expand [RFC4741], [RFC4742], [RFC4743], [RFC4744].
o FTP: File Transfer Protocol, used to transfer configuration files
to and from the NAS [RFC0959].
o TFTP: Trivial File Transfer Protocol, used to transfer
configuration files to and from the NAS [RFC1350].
o SFTP: SSH File Transfer Protocol, used to securely transfer
configuration files to and from the NAS. SFTP uses the services
of SSH [SFTP]. See also Section 3.7, "SSH and File Transfers" of
[SSH]. Additional information on the "sftp" program may typically
be found in the online documentation ("man" pages) of Unix
systems.
Nelson & Weber Standards Track [Page 8]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
o RCP: Remote CoPy file copy utility (Unix-based), used to transfer
configuration files to and from the NAS. See Section 3.7, "SSH
and File Transfers", of [SSH]. Additional information on the
"rcp" program may typically be found in the online documentation
("man" pages) of Unix systems.
o SCP: Secure CoPy file copy utility (Unix-based), used to transfer
configuration files to and from the NAS. The "scp" program is a
simple wrapper around SSH. It's basically a patched BSD Unix
"rcp", which uses ssh to do the data transfer (instead of using
"rcmd"). See Section 3.7, "SSH and File Transfers", of [SSH].
Additional information on the "scp" program may typically be found
in the online documentation ("man" pages) of Unix systems.
6.2. Management-Transport-Protection
The Management-Transport-Protection (134) Attribute specifies the
minimum level of protection that is required for a protected
transport used with the Framed or non-Framed Management access
session. The protected transport used by the NAS MAY provide a
greater level of protection, but MUST NOT provide a lower level of
protection.
When a secure form of non-Framed Management access is specified, it
means that the remote terminal session is encapsulated in some form
of protected transport, or tunnel. It may also mean that an explicit
secure mode of operation is required, when the Framed Management
protocol contains an intrinsic secure mode of operation. The
Management-Transport-Protection (134) Attribute does not apply to CLI
access via a local serial port, or other non-remote connection.
When a secure form of Framed Management access is specified, it means
that the application-layer management protocol is encapsulated in
some form of protected transport, or tunnel. It may also mean that
an explicit secure mode of operation is required, when the Framed
Management protocol contains an intrinsic secure mode of operation.
A value of "No Protection (1)" indicates that a secure transport
protocol is not required, and that the NAS SHOULD accept a connection
over any transport associated with the application-layer management
protocol. The definitions of management application to transport
bindings are defined in the relevant documents that specify those
management application protocols. The same "No Protection" semantics
are conveyed by omitting this attribute from an Access-Accept packet.
Specific protected transport protocols, cipher suites, key agreement
methods, or authentication methods are not specified by this
attribute. Such provisioning is beyond the scope of this document.
Nelson & Weber Standards Track [Page 9]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
It is RECOMMENDED that the NAS include an appropriately valued
Management-Transport-Protection (134) Attribute in an Access-Request
packet, indicating the level of transport protection for the
management access being requested, when that information is available
to the RADIUS client. The RADIUS server MAY use this attribute as a
hint in making its authorization decision.
The RADIUS server MAY include a Management-Transport-Protection (134)
Attribute in an Access-Accept packet that also includes a Service-
Type (6) Attribute with a value of Framed-Management (18), when the
RADIUS server chooses to enforce a management access security policy
for the authenticated user that dictates a minimum level of transport
security.
When a NAS receives a Management-Transport-Protection (134) Attribute
in an Access-Accept packet, it MUST deliver the management access
over a transport with equal or better protection characteristics or
disconnect the session. If the NAS does not support protected
management transport protocols, or the level of protection available
does not match that of the Management-Transport-Protection (134)
Attribute in the Access-Accept packet, the NAS MUST treat the
response packet as if it had been an Access-Reject.
A summary of the Management-Transport-Protection (134) Attribute
format is shown below. The fields are transmitted from left to
right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
134 for Management-Transport-Protection.
Length
6
Nelson & Weber Standards Track [Page 10]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
Value
The Value field is a four-octet enumerated value.
1 No-Protection
2 Integrity-Protection
3 Integrity-Confidentiality-Protection
All other values are reserved for IANA allocation subject to the
provisions of Section 11.
The names used in the above table are elaborated as follows:
o No-Protection: No transport protection is required. Accept
connections via any supported transport.
o Integrity-Protection: The management transport MUST provide
Integrity Protection, i.e., protection from unauthorized
modification, using a cryptographic checksum.
o Integrity-Confidentiality-Protection: The management transport
MUST provide both Integrity Protection and Confidentiality
Protection, i.e., protection from unauthorized modification, using
a cryptographic checksum, and protection from unauthorized
disclosure, using encryption.
The configuration or negotiation of acceptable algorithms, modes, and
credentials for the cryptographic protection mechanisms used in
implementing protected management transports is outside the scope of
this document. Many such mechanisms have standardized methods of
configuration and key management.
6.3. Management-Policy-Id
The Management-Policy-Id (135) Attribute indicates the name of the
management access policy for this user. Zero or one Management-
Policy-Id (135) Attributes MAY be sent in an Access-Accept packet.
Identifying a policy by name allows the policy to be used on
different NASes without regard to implementation details.
Multiple forms of management access rules may be expressed by the
underlying named policy, the definition of which is beyond the scope
of this document. The management access policy MAY be applied
contextually, based on the nature of the management access method.
For example, some named policies may only be valid for application to
NAS-Prompt (7) services and some other policies may only be valid for
SNMP.
Nelson & Weber Standards Track [Page 11]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
The management access policy named in this attribute, received in an
Access-Accept packet, MUST be applied to the session authorized by
the Access-Accept. If the NAS supports this attribute, but the
policy name is unknown, or if the RADIUS client is able to determine
that the policy rules are incorrectly formatted, the NAS MUST treat
the Access-Accept packet as if it had been an Access-Reject.
No precedence relationship is defined for multiple occurrences of the
Management-Policy-Id (135) Attribute. NAS behavior in such cases is
undefined. Therefore, two or more occurrences of this attribute
SHOULD NOT be included in an Access-Accept or CoA-Request (Change-of-
Authorization). In the absence of further specification defining
some sort of precedence relationship, it is not possible to guarantee
multi-vendor interoperability when using multiple instances of this
attribute in a single Access-Accept or CoA-Request packet.
The content of the Management-Policy-Id (135) Attribute is expected
to be the name of a management access policy of local significance to
the NAS, within a namespace of significance to the NAS. In this
regard, the behavior is similar to that for the Filter-Id (11)
Attribute. The policy names and rules are committed to the local
configuration data-store of the NAS, and are provisioned by means
beyond the scope of this document, such as via SNMP, NETCONF, or CLI.
The namespace used in the Management-Policy-Id (135) Attribute is
simple and monolithic. There is no explicit or implicit structure or
hierarchy. For example, in the text string "example.com", the "."
(period or dot) is just another character. It is expected that text
string matching will be performed without parsing the text string
into any sub-fields.
Overloading or subdividing this simple name with multi-part
specifiers (e.g., Access=remote, Level=7) is likely to lead to poor
multi-vendor interoperability and SHOULD NOT be utilized. If a
simple, unstructured policy name is not sufficient, it is RECOMMENDED
that a Vendor Specific (26) Attribute be used instead, rather than
overloading the semantics of Management-Policy-Id.
Nelson & Weber Standards Track [Page 12]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
A summary of the Management-Policy-Id (135) Attribute format is shown
below. The fields are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
135 for Management-Policy-Id.
Length
>= 3
Text
The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human
readable and the contents MUST NOT be parsed by the receiver;
the contents can only be used to look up locally defined
policies. It is RECOMMENDED that the message contain UTF-8
encoded 10646 [RFC3629] characters.
6.4. Management-Privilege-Level
The Management-Privilege-Level (136) Attribute indicates the integer-
valued privilege level to be assigned for management access for the
authenticated user. Many NASes provide the notion of differentiated
management privilege levels denoted by an integer value. The
specific access rights conferred by each value are implementation
dependent. It MAY be used in both Access-Request and Access-Accept
packets.
The mapping of integer values for this attribute to specific
collections of management access rights or permissions on the NAS is
vendor and implementation specific. Such mapping is often a user-
configurable feature. It's RECOMMENDED that greater numeric values
imply greater privilege. However, it would be a mistake to assume
that this recommendation always holds.
The management access level indicated in this attribute, received in
an Access-Accept packet, MUST be applied to the session authorized by
the Access-Accept. If the NAS supports this attribute, but the
privilege level is unknown, the NAS MUST treat the Access-Accept
packet as if it had been an Access-Reject.
Nelson & Weber Standards Track [Page 13]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
A summary of the Management-Privilege-Level (136) Attribute format is
show below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
136 for Management-Privilege-Level.
Length
6
Value
The Value field is a four-octet Integer, denoting a management
privilege level.
It is RECOMMENDED to limit use of the Management-Privilege-Level
(136) Attribute to sessions where the Service-Type (6) Attribute has
a value of NAS-Prompt (7) (not Administrative). Typically, NASes
treat NAS-Prompt as the minimal privilege CLI service and
Administrative as full privilege. Using the Management-Privilege-
Level (136) Attribute with a Service-Type (6) Attribute having a
value of NAS-Prompt (7) will have the effect of increasing the
minimum privilege level. Conversely, it is NOT RECOMMENDED to use
this attribute with a Service-Type (6) Attribute with a value of
Administrative (6), which may require decreasing the maximum
privilege level.
It is NOT RECOMMENDED to use the Management-Privilege-Level (136)
Attribute in combination with a Management-Policy-Id (135) Attribute
or for management access methods other than interactive CLI. The
behavior resulting from such an overlay of management access control
provisioning is not defined by this document, and in the absence of
further specification, is likely to lead to unexpected behaviors,
especially in multi-vendor environments.
Nelson & Weber Standards Track [Page 14]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
7. Use with Dynamic Authorization
It is entirely OPTIONAL for the NAS management authorization
attributes specified in this document to be used in conjunction with
Dynamic Authorization extensions to RADIUS [RFC5176]. When such
usage occurs, those attributes MAY be used as listed in the Table of
Attributes in Section 10.
Some guidance on how to identify existing management sessions on a
NAS for the purposes of Dynamic Authorization is useful. The primary
session identifiers SHOULD be User-Name (1) and Service-Type (6). To
accommodate instances when that information alone does not uniquely
identify a session, a NAS supporting Dynamic Authorization SHOULD
maintain one or more internal session identifiers that can be
represented as RADIUS attributes. Examples of such attributes
include Acct-Session-Id (44), Acct-Multi-Session-Id (50), NAS-Port
(5), or NAS-Port-Id (87). In the case of a remote management
session, common identifier values might include things such as the
remote IP address and remote TCP port number, or the file descriptor
value for use with the open socket. Any such identifier is obviously
transient in nature, and implementations SHOULD take care to avoid
and/or properly handle duplicate or stale values.
In order for the session identification attributes to be available to
the Dynamic Authorization Client, a NAS supporting Dynamic
Authorization for management sessions SHOULD include those session
identification attributes in the Access-Request message for each such
session. Additional discussion of session identification attribute
usage may be found in Section 3 of [RFC5176].
8. Examples of Attribute Groupings
1. Unprotected CLI access, via the local console, to the "super-
user" access level:
* Service-Type (6) = Administrative (6)
* NAS-Port-Type (61) = Async (0)
* Management-Transport-Protection (134) = No-Protection (1)
2. Unprotected CLI access, via a remote console, to the "super-user"
access level:
* Service-Type (6) = Administrative (6)
* NAS-Port-Type (61) = Virtual (5)
Nelson & Weber Standards Track [Page 15]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
* Management-Transport-Protection (134) = No-Protection (1)
3. CLI access, via a fully protected secure remote terminal service
to the non-privileged user access level:
* Service-Type (6) = NAS-Prompt (7)
* NAS-Port-Type (61) = Virtual (5)
* Management-Transport-Protection (134) = Integrity-
Confidentiality-Protection (3)
4. CLI access, via a fully protected secure remote terminal service,
to a custom management access level, defined by a policy:
* Service-Type (6) = NAS-Prompt (7)
* NAS-Port-Type (61) = Virtual (5)
* Management-Transport-Protection (134) = Integrity-
Confidentiality-Protection (3)
* Management-Policy-Id (135) = "Network Administrator"
5. CLI access, via a fully protected secure remote terminal service,
with a management privilege level of 15:
* Service-Type (6) = NAS-Prompt (7)
* NAS-Port-Type (61) = Virtual (5)
* Management-Transport-Protection (134) = Integrity-
Confidentiality-Protection (3)
* Management-Privilege-Level (136) = 15
6. SNMP access, using an Access Control Model specifier, such as a
custom VACM View, defined by a policy:
* Service-Type (6) = Framed-Management (18)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (133) = SNMP (1)
* Management-Policy-Id (135) = "SNMP Network Administrator View"
Nelson & Weber Standards Track [Page 16]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
There is currently no standardized way of implementing this
management policy mapping within SNMP. Such mechanisms are the
topic of current research.
7. SNMP fully protected access:
* Service-Type (6) = Framed-Management (18)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (133) = SNMP (1)
* Management-Transport-Protection (134) = Integrity-
Confidentiality-Protection (3)
8. Web (HTTP/HTML) access:
* Service-Type (6) = Framed-Management (18)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (133) = Web-based (2)
9. Secure web access, using a custom management access level,
defined by a policy:
* Service-Type (6) = Framed-Management (18)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (133) = Web-based (2)
* Management-Transport-Protection (134) = Integrity-
Confidentiality-Protection (3)
* Management-Policy-Id (135) = "Read-only web access"
9. Diameter Translation Considerations
When used in Diameter, the attributes defined in this specification
can be used as Diameter attribute-value pairs (AVPs) from the Code
space 1-255 (RADIUS attribute compatibility space). No additional
Diameter Code values are therefore allocated. The data types and
flag rules for the attributes are as follows:
Nelson & Weber Standards Track [Page 17]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
+---------------------+
| AVP Flag rules |
|----+-----+----+-----|----+
| | SHOULD MUST| |
Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr|
---------------------------------|----+-----+----+-----|----|
Service-Type | | | | | |
Enumerated | M | P | | V | Y |
Framed-Management-Protocol | | | | | |
Enumerated | M | P | | V | Y |
Management-Transport-Protection | | | | | |
Enumerated | M | P | | V | Y |
Management-Policy-Id | | | | | |
UTF8String | M | P | | V | Y |
Management-Privilege-Level | | | | | |
Integer | M | P | | V | Y |
---------------------------------|----+-----+----+-----|----|
The attributes in this specification have no special translation
requirements for Diameter to RADIUS or RADIUS to Diameter gateways;
they are copied as is, except for changes relating to headers,
alignment, and padding. See also [RFC3588], Section 4.1, and
[RFC4005], Section 9.
What this specification says about the applicability of the
attributes for RADIUS Access-Request packets applies in Diameter to
AA-Request [RFC4005].
What is said about Access-Accept applies in Diameter to AA-Answer
messages that indicate success.
10. Table of Attributes
The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity.
Access Messages
Request Accept Reject Challenge # Attribute
---------------------------------------------------------------------
0-1 0-1 0 0 133 Framed-Management-Protocol
0-1 0-1 0 0 134 Management-Transport-Protection
0 0-1 0 0 135 Management-Policy-Id
0 0-1 0 0 136 Management-Privilege-Level
Nelson & Weber Standards Track [Page 18]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
Accounting Messages
Request Response # Attribute
---------------------------------------------------------------------
0-1 0 133 Framed-Management-Protocol
0-1 0 134 Management-Transport-Protection
0-1 0 135 Management-Policy-Id
0-1 0 136 Management-Privilege-Level
Change-of-Authorization Messages
Request ACK NAK # Attribute
--------------------------------------------------------------------
0 0 0 133 Framed-Management-Protocol
0 0 0 134 Management-Transport-Protection
0-1 0 0 135 Management-Policy-Id (Note 1)
0-1 0 0 136 Management-Privilege-Level (Note 1)
Disconnect Messages
Request ACK NAK # Attribute
---------------------------------------------------------------------
0 0 0 133 Framed-Management-Protocol
0 0 0 134 Management-Transport-Protection
0 0 0 135 Management-Policy-Id
0 0 0 136 Management-Privilege-Level
(Note 1) When included within a CoA-Request, these attributes
represent an authorization change request. When one of these
attributes is omitted from a CoA-Request, the NAS assumes that the
attribute value is to remain unchanged. Attributes included in a
CoA-Request replace all existing values of the same attribute(s).
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in
a packet.
0-1 Zero or one instance of this attribute MAY be present in
a packet.
1 Exactly one instance of this attribute MUST be present in
a packet.
11. IANA Considerations
The following numbers have been assigned in the RADIUS Attribute
Types registry.
Nelson & Weber Standards Track [Page 19]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
o New enumerated value for the existing Service-Type Attribute:
* Framed-Management (18)
o New RADIUS Attribute Types:
* Framed-Management-Protocol (133)
* Management-Transport-Protection (134)
* Management-Policy-Id (135)
* Management-Privilege-Level (136)
The enumerated values of the newly assigned RADIUS Attribute Types as
defined in this document were assigned at the same time as the new
Attribute Types.
For the Framed-Management-Protocol Attribute:
1 SNMP
2 Web-based
3 NETCONF
4 FTP
5 TFTP
6 SFTP
7 RCP
8 SCP
For the Management-Transport-Protection Attribute:
1 No-Protection
2 Integrity-Protection
3 Integrity-Confidentiality-Protection
Assignments of additional enumerated values for the RADIUS attributes
defined in this document are to be processed as described in
[RFC3575], subject to the additional requirement of a published
specification.
12. Security Considerations
12.1. General Considerations
This specification describes the use of RADIUS and Diameter for
purposes of authentication, authorization, and accounting for
management access to devices within networks. RADIUS threats and
security issues for this application are described in [RFC3579] and
Nelson & Weber Standards Track [Page 20]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
[RFC3580]; security issues encountered in roaming are described in
[RFC2607]. For Diameter, the security issues relating to this
application are described in [RFC4005] and [RFC4072].
This document specifies new attributes that can be included in
existing RADIUS packets, which may be protected as described in
[RFC3579] and [RFC5176]. In Diameter, the attributes are protected
as specified in [RFC3588]. See those documents for a more detailed
description.
The security mechanisms supported in RADIUS and Diameter are focused
on preventing an attacker from spoofing packets or modifying packets
in transit. They do not prevent an authorized RADIUS/Diameter server
or proxy from inserting attributes with malicious intent.
A legacy NAS may not recognize the attributes in this document that
supplement the provisioning of CLI management access. If the value
of the Service-Type Attribute is NAS-Prompt or Administrative, the
legacy NAS may silently discard such attributes, while permitting the
user to access the CLI management interface(s) of the NAS. This can
lead to users improperly receiving authorized management access to
the NAS, or access with greater levels of access rights than were
intended. RADIUS servers SHOULD attempt to ascertain whether or not
the NAS supports these attributes before sending them in an Access-
Accept message that provisions CLI access.
It is possible that certain NAS implementations may not be able to
determine the protection properties of the underlying transport
protocol as specified by the Management-Transport-Protection
Attribute. This may be a limitation of the standard application
programming interface of the underlying transport implementation or
of the integration of the transport into the NAS implementation. In
either event, NASes conforming to this specification, which cannot
determine the protection state of the remote management connection,
MUST treat an Access-Accept message containing a Management-
Transport-Protection Attribute containing a value other than No-
Protection (1) as if it were an Access-Reject message, unless
specifically overridden by local policy configuration.
Use of the No-Protection (1) option for the Management-Transport-
Protection (134) Attribute is NOT RECOMMENDED in any deployment where
secure management or configuration is required.
Nelson & Weber Standards Track [Page 21]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
12.2. RADIUS Proxy Operation Considerations
The device management access authorization attributes presented in
this document present certain considerations when used in RADIUS
proxy environments. These considerations are not different from
those that exist in RFC 2865 [RFC2865] with respect to the Service-
Type Attribute values of Administrative and NAS-Prompt.
Most RADIUS proxy environments are also multi-party environments. In
multi-party proxy environments it is important to distinguish which
entities have the authority to provision management access to the
edge devices, i.e., NASes, and which entities only have authority to
provision network access services of various sorts.
It may be important that operators of the NAS are able to ensure that
access to the CLI, or other management interfaces of the NAS, is only
provisioned to their own employees or contractors. One way for the
NAS to enforce this requirement is to use only local, non-proxy
RADIUS servers for management access requests. Proxy RADIUS servers
could be used for non-management access requests, based on local
policy. This "bifurcation" of RADIUS authentication and
authorization is a simple case of separate administrative realms.
The NAS may be designed so as to maintain separate lists of RADIUS
servers for management AAA use and for non-management AAA use.
An alternate method of enforcing this requirement would be for the
first-hop RADIUS proxy server, operated by the owner of the NAS, to
filter out any RADIUS attributes that provision management access
rights that originate from "up-stream" proxy servers not operated by
the NAS owner. Access-Accept messages that provision such locally
unauthorized management access MAY be treated as if they were an
Access-Reject by the first-hop proxy server.
An additional exposure present in proxy deployments is that sensitive
user credentials, e.g., passwords, are likely to be available in
cleartext form at each of the proxy servers. Encrypted or hashed
credentials are not subject to this risk, but password authentication
is a very commonly used mechanism for management access
authentication, and in RADIUS passwords are only protected on a hop-
by-hop basis. Malicious proxy servers could misuse this sensitive
information.
These issues are not of concern when all the RADIUS servers, local
and proxy, used by the NAS are under the sole administrative control
of the NAS owner.
Nelson & Weber Standards Track [Page 22]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
13. Acknowledgments
Many thanks to all reviewers, including Bernard Aboba, Alan DeKok,
David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Hannes
Tschofenig, Barney Wolff, and Glen Zorn.
14. References
14.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
14.2. Informative References
[HTML] Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01
Specification, W3C", December 1999.
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
STD 9, RFC 959, October 1985.
[RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD 33,
RFC 1350, July 1992.
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
Nelson & Weber Standards Track [Page 23]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002.
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62,
RFC 3413, December 2002.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415,
December 2002.
[RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the
Simple Network Management Protocol (SNMP)", STD 62,
RFC 3416, December 2002.
[RFC3417] Presuhn, R., "Transport Mappings for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3417,
December 2002.
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62,
RFC 3418, December 2002.
[RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote
Authentication Dial In User Service)", RFC 3575,
July 2003.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
"IEEE 802.1X Remote Authentication Dial In User Service
(RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
"Diameter Network Access Server Application", RFC 4005,
August 2005.
Nelson & Weber Standards Track [Page 24]
^L
RFC 5607 RADIUS NAS-Management Authorization July 2009
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", RFC 4072,
August 2005.
[RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741,
December 2006.
[RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF
Configuration Protocol over Secure SHell (SSH)", RFC 4742,
December 2006.
[RFC4743] Goddard, T., "Using NETCONF over the Simple Object Access
Protocol (SOAP)", RFC 4743, December 2006.
[RFC4744] Lear, E. and K. Crozier, "Using the NETCONF Protocol over
the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744,
December 2006.
[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176,
January 2008.
[SFTP] Galbraith, J. and O. Saarenmaa, "SSH File Transfer
Protocol", Work in Progress, July 2006.
[SSH] Barrett, D., Silverman, R., and R. Byrnes, "SSH, the
Secure Shell: The Definitive Guide, Second Edition,
O'Reilly and Associates", May 2005.
Authors' Addresses
David B. Nelson
Elbrys Networks, Inc.
282 Corporate Drive
Portsmouth, NH 03801
USA
EMail: dnelson@elbrysnetworks.com
Greg Weber
Individual Contributor
Knoxville, TN 37932
USA
EMail: gdweber@gmail.com
Nelson & Weber Standards Track [Page 25]
^L
|
