7 Network Working Group D. Nelson
8 Request for Comments: 5607 Elbrys Networks, Inc.
9 Category: Standards Track G. Weber
10 Individual Contributor
14 Remote Authentication Dial-In User Service (RADIUS) Authorization for
15 Network Access Server (NAS) Management
19 This document specifies Remote Authentication Dial-In User Service
20 (RADIUS) attributes for authorizing management access to a Network
21 Access Server (NAS). Both local and remote management are supported,
22 with granular access rights and management privileges. Specific
23 provisions are made for remote management via Framed Management
24 protocols and for management access over a secure transport protocol.
28 This document specifies an Internet standards track protocol for the
29 Internet community, and requests discussion and suggestions for
30 improvements. Please refer to the current edition of the "Internet
31 Official Protocol Standards" (STD 1) for the standardization state
32 and status of this protocol. Distribution of this memo is unlimited.
36 Copyright (c) 2009 IETF Trust and the persons identified as the
37 document authors. All rights reserved.
39 This document is subject to BCP 78 and the IETF Trust's Legal
40 Provisions Relating to IETF Documents in effect on the date of
41 publication of this document (http://trustee.ietf.org/license-info).
42 Please review these documents carefully, as they describe your rights
43 and restrictions with respect to this document.
45 This document may contain material from IETF Documents or IETF
46 Contributions published or made publicly available before November
47 10, 2008. The person(s) controlling the copyright in some of this
48 material may not have granted the IETF Trust the right to allow
49 modifications of such material outside the IETF Standards Process.
50 Without obtaining an adequate license from the person(s) controlling
51 the copyright in such materials, this document may not be modified
52 outside the IETF Standards Process, and derivative works of it may
58 Nelson & Weber Standards Track [Page 1]
60 RFC 5607 RADIUS NAS-Management Authorization July 2009
63 not be created outside the IETF Standards Process, except to format
64 it for publication as an RFC or to translate it into languages other
69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
70 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
71 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
72 4. Domain of Applicability . . . . . . . . . . . . . . . . . . . 5
73 5. New Values for Existing RADIUS Attributes . . . . . . . . . . 6
74 5.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . .6
75 6. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 6
76 6.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 6
77 6.2. Management-Transport-Protection . . . . . . . . . . . . . 9
78 6.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
79 6.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 13
80 7. Use with Dynamic Authorization . . . . . . . . . . . . . . . . 15
81 8. Examples of Attribute Groupings . . . . . . . . . . . . . . . 15
82 9. Diameter Translation Considerations . . . . . . . . . . . . . 17
83 10. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 18
84 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
85 12. Security Considerations . . . . . . . . . . . . . . . . . . . 20
86 12.1. General Considerations . . . . . . . . . . . . . . . . . . 20
87 12.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 22
88 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
89 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
90 14.1. Normative References . . . . . . . . . . . . . . . . . . . 23
91 14.2. Informative References . . . . . . . . . . . . . . . . . . 23
114 Nelson & Weber Standards Track [Page 2]
116 RFC 5607 RADIUS NAS-Management Authorization July 2009
121 RFC 2865 [RFC2865] defines the NAS-Prompt (7) and Administrative (6)
122 values of the Service-Type (6) Attribute. Both of these values
123 provide access to the interactive, text-based Command Line Interface
124 (CLI) of the NAS, and were originally developed to control access to
125 the physical console port of the NAS, most often a serial port.
127 Remote access to the CLI of the NAS has been available in NAS
128 implementations for many years, using protocols such as Telnet,
129 Rlogin, and the remote terminal service of the Secure SHell (SSH).
130 In order to distinguish local, physical, console access from remote
131 access, the NAS-Port-Type (61) Attribute is generally included in
132 Access-Request and Access-Accept messages, along with the Service-
133 Type (6) Attribute, to indicate the form of access. A NAS-Port-Type
134 (61) Attribute with a value of Async (0) is used to signify a local
135 serial port connection, while a value of Virtual (5) is used to
136 signify a remote connection, via a remote terminal protocol. This
137 usage provides no selectivity among the various available remote
138 terminal protocols (e.g., Telnet, Rlogin, SSH, etc.).
140 Today, it is common for network devices to support more than the two
141 privilege levels for management access provided by the Service-Type
142 (6) Attribute with values of NAS-Prompt (7) (non-privileged) and
143 Administrative (6) (privileged). Also, other management mechanisms
144 may be used, such as Web-based management, the Simple Network
145 Management Protocol (SNMP), and the Network Configuration Protocol
146 (NETCONF). To provide support for these additional features, this
147 specification defines attributes for Framed Management protocols,
148 management protocol security, and management access privilege levels.
150 Remote management via the command line is carried over protocols such
151 as Telnet, Rlogin, and the remote terminal service of SSH. Since
152 these protocols are primarily for the delivery of terminal or
153 terminal emulation services, the term "Framed Management" is used to
154 describe management protocols supporting techniques other than the
155 command line. Typically, these mechanisms format management
156 information in a binary or textual encoding such as HTML, XML, or
157 ASN.1/BER. Examples include Web-based management (HTML over HTTP or
158 HTTPS), NETCONF (XML over SSH or BEEP or SOAP), and SNMP (SMI over
159 ASN.1/BER). Command line interface, menu interface, or other text-
160 based (e.g., ASCII or UTF-8) terminal emulation services are not
161 considered to be Framed Management protocols.
170 Nelson & Weber Standards Track [Page 3]
172 RFC 5607 RADIUS NAS-Management Authorization July 2009
177 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
178 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
179 document are to be interpreted as described in RFC 2119 [RFC2119].
181 This document uses terminology from RFC 2865 [RFC2865], RFC 2866
182 [RFC2866], and RFC 5176 [RFC5176].
184 The term "integrity protection", as used in this document, is *not*
185 the same as "authentication", as used in SNMP. Integrity protection
186 requires the sharing of cryptographic keys, but it does not require
187 authenticated principals. Integrity protection could be used, for
188 example, with anonymous Diffie-Hellman key agreement. In SNMP, the
189 proof of identity of the principals (authentication) is conflated
190 with tamper-resistance of the protected messages (integrity). In
191 this document, we assume that integrity protection and authentication
192 are separate concerns. Authentication is part of the base RADIUS
195 SNMP uses the terms "auth" and "noAuth", as well as "priv" and
196 "noPriv". There is no analog to auth or noAuth in this document. In
197 this document, we are assuming that authentication always occurs when
198 it is required, i.e., as a prerequisite to provisioning of access via
199 an Access-Accept packet.
203 To support the authorization and provisioning of Framed Management
204 access to managed entities, this document introduces a new value for
205 the Service-Type (6) Attribute [RFC2865] and one new attribute. The
206 new value for the Service-Type (6) Attribute is Framed-Management
207 (18), used for remote device management via a Framed Management
208 protocol. The new attribute is Framed-Management-Protocol (133), the
209 value of which specifies a particular protocol for use in the remote
212 Two new attributes are introduced in this document in support of
213 granular management access rights or command privilege levels. The
214 Management-Policy-Id (135) Attribute provides a text string
215 specifying a policy name of local scope, that is assumed to have been
216 pre-provisioned on the NAS. This use of an attribute to specify use
217 of a pre-provisioned policy is similar to the Filter-Id (11)
218 Attribute defined in [RFC2865] Section 5.11.
220 The local application of the Management-Policy-Id (135) Attribute
221 within the managed entity may take the form of (a) one of an
222 enumeration of command privilege levels, (b) a mapping into an SNMP
226 Nelson & Weber Standards Track [Page 4]
228 RFC 5607 RADIUS NAS-Management Authorization July 2009
231 Access Control Model, such as the View-Based Access Control Model
232 (VACM) [RFC3415], or (c) some other set of management access policy
233 rules that is mutually understood by the managed entity and the
234 remote management application. Examples are given in Section 8.
236 The Management-Privilege-Level (136) Attribute contains an integer-
237 valued management privilege level indication. This attribute serves
238 to modify or augment the management permissions provided by the NAS-
239 Prompt (7) value of the Service-Type (6) Attribute, and thus applies
242 To enable management security requirements to be specified, the
243 Management-Transport-Protection (134) Attribute is introduced. The
244 value of this attribute indicates the minimum level of secure
245 transport protocol protection required for the provisioning of NAS-
246 Prompt (7), Administrative (6), or Framed-Management (18) service.
248 4. Domain of Applicability
250 Most of the RADIUS attributes defined in this document have broad
251 applicability for provisioning local and remote management access to
252 NAS devices. However, those attributes that provision remote access
253 over Framed Management protocols and over secure transports have
254 special considerations. This document does not specify the details
255 of the integration of these protocols with a RADIUS client in the NAS
256 implementation. However, there are functional requirements for
257 correct application of Framed Management protocols and/or secure
258 transport protocols that will limit the selection of such protocols
259 that can be considered for use with RADIUS. Since the RADIUS user
260 credentials are typically obtained by the RADIUS client from the
261 secure transport protocol server or the Framed Management protocol
262 server, the protocol, and its implementation in the NAS, MUST support
263 forms of credentials that are compatible with the authentication
264 methods supported by RADIUS.
266 RADIUS currently supports the following user authentication methods,
267 although others may be added in the future:
269 o Password - RFC 2865
271 o CHAP (Challenge Handshake Authentication Protocol) - RFC 2865
273 o ARAP (Apple Remote Access Protocol) - RFC 2869
275 o EAP (Extensible Authentication Protocol) - RFC 2869, RFC 3579
277 o HTTP Digest - RFC 5090
282 Nelson & Weber Standards Track [Page 5]
284 RFC 5607 RADIUS NAS-Management Authorization July 2009
287 The remote management protocols selected for use with the RADIUS
288 remote NAS management sessions, for example, those described in
289 Section 6.1, and the secure transport protocols selected to meet the
290 protection requirements, as described in Section 6.2, obviously need
291 to support user authentication methods that are compatible with those
292 that exist in RADIUS. The RADIUS authentication methods most likely
293 usable with these protocols are Password, CHAP, and possibly HTTP
294 Digest, with Password being the distinct common denominator. There
295 are many secure transports that support other, more robust,
296 authentication mechanisms, such as public key. RADIUS has no support
297 for public key authentication, except within the context of an EAP
298 Method. The applicability statement for EAP indicates that it is not
299 intended for use as an application-layer authentication mechanism, so
300 its use with the mechanisms described in this document is NOT
301 RECOMMENDED. In some cases, Password may be the only compatible
302 RADIUS authentication method available.
304 5. New Values for Existing RADIUS Attributes
308 The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865
309 [RFC2865]. This document defines a new value of the Service-Type
310 Attribute, as follows:
314 The semantics of the Framed-Management service are as follows:
316 Framed-Management A Framed Management protocol session should
317 be started on the NAS.
319 6. New RADIUS Attributes
321 This document defines four new RADIUS attributes related to
322 management authorization.
324 6.1. Framed-Management-Protocol
326 The Framed-Management-Protocol (133) Attribute indicates the
327 application-layer management protocol to be used for Framed
328 Management access. It MAY be used in both Access-Request and Access-
329 Accept packets. This attribute is used in conjunction with a
330 Service-Type (6) Attribute with the value of Framed-Management (18).
332 It is RECOMMENDED that the NAS include an appropriately valued
333 Framed-Management-Protocol (133) Attribute in an Access-Request
334 packet, indicating the type of management access being requested. It
338 Nelson & Weber Standards Track [Page 6]
340 RFC 5607 RADIUS NAS-Management Authorization July 2009
343 is further RECOMMENDED that the NAS include a Service-Type (6)
344 Attribute with the value Framed-Management (18) in the same Access-
345 Request packet. The RADIUS server MAY use these attributes as a hint
346 in making its authorization decision.
348 The RADIUS server MAY include a Framed-Management-Protocol (133)
349 Attribute in an Access-Accept packet that also includes a Service-
350 Type (6) Attribute with a value of Framed-Management (18), when the
351 RADIUS server chooses to enforce a management access policy for the
352 authenticated user that dictates one form of management access in
353 preference to others.
355 When a NAS receives a Framed-Management-Protocol (133) Attribute in
356 an Access-Accept packet, it MUST deliver that specified form of
357 management access or disconnect the session. If the NAS does not
358 support the provisioned management application-layer protocol, or the
359 management access protocol requested by the user does not match that
360 of the Framed-Management-Protocol (133) Attribute in the Access-
361 Accept packet, the NAS MUST treat the Access-Accept packet as if it
362 had been an Access-Reject.
364 A summary of the Framed-Management-Protocol (133) Attribute format is
365 shown below. The fields are transmitted from left to right.
368 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
369 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
370 | Type | Length | Value
371 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
373 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
377 133 for Framed-Management-Protocol.
394 Nelson & Weber Standards Track [Page 7]
396 RFC 5607 RADIUS NAS-Management Authorization July 2009
401 The Value field is a four-octet enumerated value.
412 All other values are reserved for IANA allocation subject to the
413 provisions of Section 11.
415 The acronyms used in the above table expand as follows:
417 o SNMP: Simple Network Management Protocol [RFC3411], [RFC3412],
418 [RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418].
420 o Web-based: Use of an embedded web server in the NAS for management
421 via a generic web browser client. The interface presented to the
422 administrator may be graphical, tabular, or textual. The protocol
423 is HTML over HTTP. The protocol may optionally be HTML over
424 HTTPS, i.e., using HTTP over TLS [HTML] [RFC2616].
426 o NETCONF: Management via the NETCONF protocol using XML over
427 supported transports (e.g., SSH, BEEP, SOAP). As secure transport
428 profiles are defined for NETCONF, the list of transport options
429 may expand [RFC4741], [RFC4742], [RFC4743], [RFC4744].
431 o FTP: File Transfer Protocol, used to transfer configuration files
432 to and from the NAS [RFC0959].
434 o TFTP: Trivial File Transfer Protocol, used to transfer
435 configuration files to and from the NAS [RFC1350].
437 o SFTP: SSH File Transfer Protocol, used to securely transfer
438 configuration files to and from the NAS. SFTP uses the services
439 of SSH [SFTP]. See also Section 3.7, "SSH and File Transfers" of
440 [SSH]. Additional information on the "sftp" program may typically
441 be found in the online documentation ("man" pages) of Unix
450 Nelson & Weber Standards Track [Page 8]
452 RFC 5607 RADIUS NAS-Management Authorization July 2009
455 o RCP: Remote CoPy file copy utility (Unix-based), used to transfer
456 configuration files to and from the NAS. See Section 3.7, "SSH
457 and File Transfers", of [SSH]. Additional information on the
458 "rcp" program may typically be found in the online documentation
459 ("man" pages) of Unix systems.
461 o SCP: Secure CoPy file copy utility (Unix-based), used to transfer
462 configuration files to and from the NAS. The "scp" program is a
463 simple wrapper around SSH. It's basically a patched BSD Unix
464 "rcp", which uses ssh to do the data transfer (instead of using
465 "rcmd"). See Section 3.7, "SSH and File Transfers", of [SSH].
466 Additional information on the "scp" program may typically be found
467 in the online documentation ("man" pages) of Unix systems.
469 6.2. Management-Transport-Protection
471 The Management-Transport-Protection (134) Attribute specifies the
472 minimum level of protection that is required for a protected
473 transport used with the Framed or non-Framed Management access
474 session. The protected transport used by the NAS MAY provide a
475 greater level of protection, but MUST NOT provide a lower level of
478 When a secure form of non-Framed Management access is specified, it
479 means that the remote terminal session is encapsulated in some form
480 of protected transport, or tunnel. It may also mean that an explicit
481 secure mode of operation is required, when the Framed Management
482 protocol contains an intrinsic secure mode of operation. The
483 Management-Transport-Protection (134) Attribute does not apply to CLI
484 access via a local serial port, or other non-remote connection.
486 When a secure form of Framed Management access is specified, it means
487 that the application-layer management protocol is encapsulated in
488 some form of protected transport, or tunnel. It may also mean that
489 an explicit secure mode of operation is required, when the Framed
490 Management protocol contains an intrinsic secure mode of operation.
492 A value of "No Protection (1)" indicates that a secure transport
493 protocol is not required, and that the NAS SHOULD accept a connection
494 over any transport associated with the application-layer management
495 protocol. The definitions of management application to transport
496 bindings are defined in the relevant documents that specify those
497 management application protocols. The same "No Protection" semantics
498 are conveyed by omitting this attribute from an Access-Accept packet.
500 Specific protected transport protocols, cipher suites, key agreement
501 methods, or authentication methods are not specified by this
502 attribute. Such provisioning is beyond the scope of this document.
506 Nelson & Weber Standards Track [Page 9]
508 RFC 5607 RADIUS NAS-Management Authorization July 2009
511 It is RECOMMENDED that the NAS include an appropriately valued
512 Management-Transport-Protection (134) Attribute in an Access-Request
513 packet, indicating the level of transport protection for the
514 management access being requested, when that information is available
515 to the RADIUS client. The RADIUS server MAY use this attribute as a
516 hint in making its authorization decision.
518 The RADIUS server MAY include a Management-Transport-Protection (134)
519 Attribute in an Access-Accept packet that also includes a Service-
520 Type (6) Attribute with a value of Framed-Management (18), when the
521 RADIUS server chooses to enforce a management access security policy
522 for the authenticated user that dictates a minimum level of transport
525 When a NAS receives a Management-Transport-Protection (134) Attribute
526 in an Access-Accept packet, it MUST deliver the management access
527 over a transport with equal or better protection characteristics or
528 disconnect the session. If the NAS does not support protected
529 management transport protocols, or the level of protection available
530 does not match that of the Management-Transport-Protection (134)
531 Attribute in the Access-Accept packet, the NAS MUST treat the
532 response packet as if it had been an Access-Reject.
534 A summary of the Management-Transport-Protection (134) Attribute
535 format is shown below. The fields are transmitted from left to
539 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
540 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
541 | Type | Length | Value
542 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
544 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
548 134 for Management-Transport-Protection.
562 Nelson & Weber Standards Track [Page 10]
564 RFC 5607 RADIUS NAS-Management Authorization July 2009
569 The Value field is a four-octet enumerated value.
572 2 Integrity-Protection
573 3 Integrity-Confidentiality-Protection
575 All other values are reserved for IANA allocation subject to the
576 provisions of Section 11.
578 The names used in the above table are elaborated as follows:
580 o No-Protection: No transport protection is required. Accept
581 connections via any supported transport.
583 o Integrity-Protection: The management transport MUST provide
584 Integrity Protection, i.e., protection from unauthorized
585 modification, using a cryptographic checksum.
587 o Integrity-Confidentiality-Protection: The management transport
588 MUST provide both Integrity Protection and Confidentiality
589 Protection, i.e., protection from unauthorized modification, using
590 a cryptographic checksum, and protection from unauthorized
591 disclosure, using encryption.
593 The configuration or negotiation of acceptable algorithms, modes, and
594 credentials for the cryptographic protection mechanisms used in
595 implementing protected management transports is outside the scope of
596 this document. Many such mechanisms have standardized methods of
597 configuration and key management.
599 6.3. Management-Policy-Id
601 The Management-Policy-Id (135) Attribute indicates the name of the
602 management access policy for this user. Zero or one Management-
603 Policy-Id (135) Attributes MAY be sent in an Access-Accept packet.
604 Identifying a policy by name allows the policy to be used on
605 different NASes without regard to implementation details.
607 Multiple forms of management access rules may be expressed by the
608 underlying named policy, the definition of which is beyond the scope
609 of this document. The management access policy MAY be applied
610 contextually, based on the nature of the management access method.
611 For example, some named policies may only be valid for application to
612 NAS-Prompt (7) services and some other policies may only be valid for
618 Nelson & Weber Standards Track [Page 11]
620 RFC 5607 RADIUS NAS-Management Authorization July 2009
623 The management access policy named in this attribute, received in an
624 Access-Accept packet, MUST be applied to the session authorized by
625 the Access-Accept. If the NAS supports this attribute, but the
626 policy name is unknown, or if the RADIUS client is able to determine
627 that the policy rules are incorrectly formatted, the NAS MUST treat
628 the Access-Accept packet as if it had been an Access-Reject.
630 No precedence relationship is defined for multiple occurrences of the
631 Management-Policy-Id (135) Attribute. NAS behavior in such cases is
632 undefined. Therefore, two or more occurrences of this attribute
633 SHOULD NOT be included in an Access-Accept or CoA-Request (Change-of-
634 Authorization). In the absence of further specification defining
635 some sort of precedence relationship, it is not possible to guarantee
636 multi-vendor interoperability when using multiple instances of this
637 attribute in a single Access-Accept or CoA-Request packet.
639 The content of the Management-Policy-Id (135) Attribute is expected
640 to be the name of a management access policy of local significance to
641 the NAS, within a namespace of significance to the NAS. In this
642 regard, the behavior is similar to that for the Filter-Id (11)
643 Attribute. The policy names and rules are committed to the local
644 configuration data-store of the NAS, and are provisioned by means
645 beyond the scope of this document, such as via SNMP, NETCONF, or CLI.
647 The namespace used in the Management-Policy-Id (135) Attribute is
648 simple and monolithic. There is no explicit or implicit structure or
649 hierarchy. For example, in the text string "example.com", the "."
650 (period or dot) is just another character. It is expected that text
651 string matching will be performed without parsing the text string
654 Overloading or subdividing this simple name with multi-part
655 specifiers (e.g., Access=remote, Level=7) is likely to lead to poor
656 multi-vendor interoperability and SHOULD NOT be utilized. If a
657 simple, unstructured policy name is not sufficient, it is RECOMMENDED
658 that a Vendor Specific (26) Attribute be used instead, rather than
659 overloading the semantics of Management-Policy-Id.
674 Nelson & Weber Standards Track [Page 12]
676 RFC 5607 RADIUS NAS-Management Authorization July 2009
679 A summary of the Management-Policy-Id (135) Attribute format is shown
680 below. The fields are transmitted from left to right.
683 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
684 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
685 | Type | Length | Text ...
686 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
690 135 for Management-Policy-Id.
698 The Text field is one or more octets, and its contents are
699 implementation dependent. It is intended to be human
700 readable and the contents MUST NOT be parsed by the receiver;
701 the contents can only be used to look up locally defined
702 policies. It is RECOMMENDED that the message contain UTF-8
703 encoded 10646 [RFC3629] characters.
705 6.4. Management-Privilege-Level
707 The Management-Privilege-Level (136) Attribute indicates the integer-
708 valued privilege level to be assigned for management access for the
709 authenticated user. Many NASes provide the notion of differentiated
710 management privilege levels denoted by an integer value. The
711 specific access rights conferred by each value are implementation
712 dependent. It MAY be used in both Access-Request and Access-Accept
715 The mapping of integer values for this attribute to specific
716 collections of management access rights or permissions on the NAS is
717 vendor and implementation specific. Such mapping is often a user-
718 configurable feature. It's RECOMMENDED that greater numeric values
719 imply greater privilege. However, it would be a mistake to assume
720 that this recommendation always holds.
722 The management access level indicated in this attribute, received in
723 an Access-Accept packet, MUST be applied to the session authorized by
724 the Access-Accept. If the NAS supports this attribute, but the
725 privilege level is unknown, the NAS MUST treat the Access-Accept
726 packet as if it had been an Access-Reject.
730 Nelson & Weber Standards Track [Page 13]
732 RFC 5607 RADIUS NAS-Management Authorization July 2009
735 A summary of the Management-Privilege-Level (136) Attribute format is
736 show below. The fields are transmitted from left to right.
740 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
741 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
742 | Type | Length | Value
743 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
745 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
749 136 for Management-Privilege-Level.
757 The Value field is a four-octet Integer, denoting a management
761 It is RECOMMENDED to limit use of the Management-Privilege-Level
762 (136) Attribute to sessions where the Service-Type (6) Attribute has
763 a value of NAS-Prompt (7) (not Administrative). Typically, NASes
764 treat NAS-Prompt as the minimal privilege CLI service and
765 Administrative as full privilege. Using the Management-Privilege-
766 Level (136) Attribute with a Service-Type (6) Attribute having a
767 value of NAS-Prompt (7) will have the effect of increasing the
768 minimum privilege level. Conversely, it is NOT RECOMMENDED to use
769 this attribute with a Service-Type (6) Attribute with a value of
770 Administrative (6), which may require decreasing the maximum
773 It is NOT RECOMMENDED to use the Management-Privilege-Level (136)
774 Attribute in combination with a Management-Policy-Id (135) Attribute
775 or for management access methods other than interactive CLI. The
776 behavior resulting from such an overlay of management access control
777 provisioning is not defined by this document, and in the absence of
778 further specification, is likely to lead to unexpected behaviors,
779 especially in multi-vendor environments.
786 Nelson & Weber Standards Track [Page 14]
788 RFC 5607 RADIUS NAS-Management Authorization July 2009
791 7. Use with Dynamic Authorization
793 It is entirely OPTIONAL for the NAS management authorization
794 attributes specified in this document to be used in conjunction with
795 Dynamic Authorization extensions to RADIUS [RFC5176]. When such
796 usage occurs, those attributes MAY be used as listed in the Table of
797 Attributes in Section 10.
799 Some guidance on how to identify existing management sessions on a
800 NAS for the purposes of Dynamic Authorization is useful. The primary
801 session identifiers SHOULD be User-Name (1) and Service-Type (6). To
802 accommodate instances when that information alone does not uniquely
803 identify a session, a NAS supporting Dynamic Authorization SHOULD
804 maintain one or more internal session identifiers that can be
805 represented as RADIUS attributes. Examples of such attributes
806 include Acct-Session-Id (44), Acct-Multi-Session-Id (50), NAS-Port
807 (5), or NAS-Port-Id (87). In the case of a remote management
808 session, common identifier values might include things such as the
809 remote IP address and remote TCP port number, or the file descriptor
810 value for use with the open socket. Any such identifier is obviously
811 transient in nature, and implementations SHOULD take care to avoid
812 and/or properly handle duplicate or stale values.
814 In order for the session identification attributes to be available to
815 the Dynamic Authorization Client, a NAS supporting Dynamic
816 Authorization for management sessions SHOULD include those session
817 identification attributes in the Access-Request message for each such
818 session. Additional discussion of session identification attribute
819 usage may be found in Section 3 of [RFC5176].
821 8. Examples of Attribute Groupings
823 1. Unprotected CLI access, via the local console, to the "super-
826 * Service-Type (6) = Administrative (6)
828 * NAS-Port-Type (61) = Async (0)
830 * Management-Transport-Protection (134) = No-Protection (1)
832 2. Unprotected CLI access, via a remote console, to the "super-user"
835 * Service-Type (6) = Administrative (6)
837 * NAS-Port-Type (61) = Virtual (5)
842 Nelson & Weber Standards Track [Page 15]
844 RFC 5607 RADIUS NAS-Management Authorization July 2009
847 * Management-Transport-Protection (134) = No-Protection (1)
849 3. CLI access, via a fully protected secure remote terminal service
850 to the non-privileged user access level:
852 * Service-Type (6) = NAS-Prompt (7)
854 * NAS-Port-Type (61) = Virtual (5)
856 * Management-Transport-Protection (134) = Integrity-
857 Confidentiality-Protection (3)
859 4. CLI access, via a fully protected secure remote terminal service,
860 to a custom management access level, defined by a policy:
862 * Service-Type (6) = NAS-Prompt (7)
864 * NAS-Port-Type (61) = Virtual (5)
866 * Management-Transport-Protection (134) = Integrity-
867 Confidentiality-Protection (3)
869 * Management-Policy-Id (135) = "Network Administrator"
871 5. CLI access, via a fully protected secure remote terminal service,
872 with a management privilege level of 15:
874 * Service-Type (6) = NAS-Prompt (7)
876 * NAS-Port-Type (61) = Virtual (5)
878 * Management-Transport-Protection (134) = Integrity-
879 Confidentiality-Protection (3)
881 * Management-Privilege-Level (136) = 15
883 6. SNMP access, using an Access Control Model specifier, such as a
884 custom VACM View, defined by a policy:
886 * Service-Type (6) = Framed-Management (18)
888 * NAS-Port-Type (61) = Virtual (5)
890 * Framed-Management-Protocol (133) = SNMP (1)
892 * Management-Policy-Id (135) = "SNMP Network Administrator View"
898 Nelson & Weber Standards Track [Page 16]
900 RFC 5607 RADIUS NAS-Management Authorization July 2009
903 There is currently no standardized way of implementing this
904 management policy mapping within SNMP. Such mechanisms are the
905 topic of current research.
907 7. SNMP fully protected access:
909 * Service-Type (6) = Framed-Management (18)
911 * NAS-Port-Type (61) = Virtual (5)
913 * Framed-Management-Protocol (133) = SNMP (1)
915 * Management-Transport-Protection (134) = Integrity-
916 Confidentiality-Protection (3)
918 8. Web (HTTP/HTML) access:
920 * Service-Type (6) = Framed-Management (18)
922 * NAS-Port-Type (61) = Virtual (5)
924 * Framed-Management-Protocol (133) = Web-based (2)
926 9. Secure web access, using a custom management access level,
929 * Service-Type (6) = Framed-Management (18)
931 * NAS-Port-Type (61) = Virtual (5)
933 * Framed-Management-Protocol (133) = Web-based (2)
935 * Management-Transport-Protection (134) = Integrity-
936 Confidentiality-Protection (3)
938 * Management-Policy-Id (135) = "Read-only web access"
940 9. Diameter Translation Considerations
942 When used in Diameter, the attributes defined in this specification
943 can be used as Diameter attribute-value pairs (AVPs) from the Code
944 space 1-255 (RADIUS attribute compatibility space). No additional
945 Diameter Code values are therefore allocated. The data types and
946 flag rules for the attributes are as follows:
954 Nelson & Weber Standards Track [Page 17]
956 RFC 5607 RADIUS NAS-Management Authorization July 2009
959 +---------------------+
961 |----+-----+----+-----|----+
963 Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr|
964 ---------------------------------|----+-----+----+-----|----|
965 Service-Type | | | | | |
966 Enumerated | M | P | | V | Y |
967 Framed-Management-Protocol | | | | | |
968 Enumerated | M | P | | V | Y |
969 Management-Transport-Protection | | | | | |
970 Enumerated | M | P | | V | Y |
971 Management-Policy-Id | | | | | |
972 UTF8String | M | P | | V | Y |
973 Management-Privilege-Level | | | | | |
974 Integer | M | P | | V | Y |
975 ---------------------------------|----+-----+----+-----|----|
977 The attributes in this specification have no special translation
978 requirements for Diameter to RADIUS or RADIUS to Diameter gateways;
979 they are copied as is, except for changes relating to headers,
980 alignment, and padding. See also [RFC3588], Section 4.1, and
981 [RFC4005], Section 9.
983 What this specification says about the applicability of the
984 attributes for RADIUS Access-Request packets applies in Diameter to
985 AA-Request [RFC4005].
987 What is said about Access-Accept applies in Diameter to AA-Answer
988 messages that indicate success.
990 10. Table of Attributes
992 The following table provides a guide to which attributes may be found
993 in which kinds of packets, and in what quantity.
996 Request Accept Reject Challenge # Attribute
997 ---------------------------------------------------------------------
998 0-1 0-1 0 0 133 Framed-Management-Protocol
999 0-1 0-1 0 0 134 Management-Transport-Protection
1000 0 0-1 0 0 135 Management-Policy-Id
1001 0 0-1 0 0 136 Management-Privilege-Level
1010 Nelson & Weber Standards Track [Page 18]
1012 RFC 5607 RADIUS NAS-Management Authorization July 2009
1016 Request Response # Attribute
1017 ---------------------------------------------------------------------
1018 0-1 0 133 Framed-Management-Protocol
1019 0-1 0 134 Management-Transport-Protection
1020 0-1 0 135 Management-Policy-Id
1021 0-1 0 136 Management-Privilege-Level
1025 Change-of-Authorization Messages
1026 Request ACK NAK # Attribute
1027 --------------------------------------------------------------------
1028 0 0 0 133 Framed-Management-Protocol
1029 0 0 0 134 Management-Transport-Protection
1030 0-1 0 0 135 Management-Policy-Id (Note 1)
1031 0-1 0 0 136 Management-Privilege-Level (Note 1)
1035 Request ACK NAK # Attribute
1036 ---------------------------------------------------------------------
1037 0 0 0 133 Framed-Management-Protocol
1038 0 0 0 134 Management-Transport-Protection
1039 0 0 0 135 Management-Policy-Id
1040 0 0 0 136 Management-Privilege-Level
1042 (Note 1) When included within a CoA-Request, these attributes
1043 represent an authorization change request. When one of these
1044 attributes is omitted from a CoA-Request, the NAS assumes that the
1045 attribute value is to remain unchanged. Attributes included in a
1046 CoA-Request replace all existing values of the same attribute(s).
1048 The following table defines the meaning of the above table entries.
1050 0 This attribute MUST NOT be present in a packet.
1051 0+ Zero or more instances of this attribute MAY be present in
1053 0-1 Zero or one instance of this attribute MAY be present in
1055 1 Exactly one instance of this attribute MUST be present in
1058 11. IANA Considerations
1060 The following numbers have been assigned in the RADIUS Attribute
1066 Nelson & Weber Standards Track [Page 19]
1068 RFC 5607 RADIUS NAS-Management Authorization July 2009
1071 o New enumerated value for the existing Service-Type Attribute:
1073 * Framed-Management (18)
1075 o New RADIUS Attribute Types:
1077 * Framed-Management-Protocol (133)
1079 * Management-Transport-Protection (134)
1081 * Management-Policy-Id (135)
1083 * Management-Privilege-Level (136)
1085 The enumerated values of the newly assigned RADIUS Attribute Types as
1086 defined in this document were assigned at the same time as the new
1089 For the Framed-Management-Protocol Attribute:
1100 For the Management-Transport-Protection Attribute:
1103 2 Integrity-Protection
1104 3 Integrity-Confidentiality-Protection
1106 Assignments of additional enumerated values for the RADIUS attributes
1107 defined in this document are to be processed as described in
1108 [RFC3575], subject to the additional requirement of a published
1111 12. Security Considerations
1113 12.1. General Considerations
1115 This specification describes the use of RADIUS and Diameter for
1116 purposes of authentication, authorization, and accounting for
1117 management access to devices within networks. RADIUS threats and
1118 security issues for this application are described in [RFC3579] and
1122 Nelson & Weber Standards Track [Page 20]
1124 RFC 5607 RADIUS NAS-Management Authorization July 2009
1127 [RFC3580]; security issues encountered in roaming are described in
1128 [RFC2607]. For Diameter, the security issues relating to this
1129 application are described in [RFC4005] and [RFC4072].
1131 This document specifies new attributes that can be included in
1132 existing RADIUS packets, which may be protected as described in
1133 [RFC3579] and [RFC5176]. In Diameter, the attributes are protected
1134 as specified in [RFC3588]. See those documents for a more detailed
1137 The security mechanisms supported in RADIUS and Diameter are focused
1138 on preventing an attacker from spoofing packets or modifying packets
1139 in transit. They do not prevent an authorized RADIUS/Diameter server
1140 or proxy from inserting attributes with malicious intent.
1142 A legacy NAS may not recognize the attributes in this document that
1143 supplement the provisioning of CLI management access. If the value
1144 of the Service-Type Attribute is NAS-Prompt or Administrative, the
1145 legacy NAS may silently discard such attributes, while permitting the
1146 user to access the CLI management interface(s) of the NAS. This can
1147 lead to users improperly receiving authorized management access to
1148 the NAS, or access with greater levels of access rights than were
1149 intended. RADIUS servers SHOULD attempt to ascertain whether or not
1150 the NAS supports these attributes before sending them in an Access-
1151 Accept message that provisions CLI access.
1153 It is possible that certain NAS implementations may not be able to
1154 determine the protection properties of the underlying transport
1155 protocol as specified by the Management-Transport-Protection
1156 Attribute. This may be a limitation of the standard application
1157 programming interface of the underlying transport implementation or
1158 of the integration of the transport into the NAS implementation. In
1159 either event, NASes conforming to this specification, which cannot
1160 determine the protection state of the remote management connection,
1161 MUST treat an Access-Accept message containing a Management-
1162 Transport-Protection Attribute containing a value other than No-
1163 Protection (1) as if it were an Access-Reject message, unless
1164 specifically overridden by local policy configuration.
1166 Use of the No-Protection (1) option for the Management-Transport-
1167 Protection (134) Attribute is NOT RECOMMENDED in any deployment where
1168 secure management or configuration is required.
1178 Nelson & Weber Standards Track [Page 21]
1180 RFC 5607 RADIUS NAS-Management Authorization July 2009
1183 12.2. RADIUS Proxy Operation Considerations
1185 The device management access authorization attributes presented in
1186 this document present certain considerations when used in RADIUS
1187 proxy environments. These considerations are not different from
1188 those that exist in RFC 2865 [RFC2865] with respect to the Service-
1189 Type Attribute values of Administrative and NAS-Prompt.
1191 Most RADIUS proxy environments are also multi-party environments. In
1192 multi-party proxy environments it is important to distinguish which
1193 entities have the authority to provision management access to the
1194 edge devices, i.e., NASes, and which entities only have authority to
1195 provision network access services of various sorts.
1197 It may be important that operators of the NAS are able to ensure that
1198 access to the CLI, or other management interfaces of the NAS, is only
1199 provisioned to their own employees or contractors. One way for the
1200 NAS to enforce this requirement is to use only local, non-proxy
1201 RADIUS servers for management access requests. Proxy RADIUS servers
1202 could be used for non-management access requests, based on local
1203 policy. This "bifurcation" of RADIUS authentication and
1204 authorization is a simple case of separate administrative realms.
1205 The NAS may be designed so as to maintain separate lists of RADIUS
1206 servers for management AAA use and for non-management AAA use.
1208 An alternate method of enforcing this requirement would be for the
1209 first-hop RADIUS proxy server, operated by the owner of the NAS, to
1210 filter out any RADIUS attributes that provision management access
1211 rights that originate from "up-stream" proxy servers not operated by
1212 the NAS owner. Access-Accept messages that provision such locally
1213 unauthorized management access MAY be treated as if they were an
1214 Access-Reject by the first-hop proxy server.
1216 An additional exposure present in proxy deployments is that sensitive
1217 user credentials, e.g., passwords, are likely to be available in
1218 cleartext form at each of the proxy servers. Encrypted or hashed
1219 credentials are not subject to this risk, but password authentication
1220 is a very commonly used mechanism for management access
1221 authentication, and in RADIUS passwords are only protected on a hop-
1222 by-hop basis. Malicious proxy servers could misuse this sensitive
1225 These issues are not of concern when all the RADIUS servers, local
1226 and proxy, used by the NAS are under the sole administrative control
1234 Nelson & Weber Standards Track [Page 22]
1236 RFC 5607 RADIUS NAS-Management Authorization July 2009
1241 Many thanks to all reviewers, including Bernard Aboba, Alan DeKok,
1242 David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Hannes
1243 Tschofenig, Barney Wolff, and Glen Zorn.
1247 14.1. Normative References
1249 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1250 Requirement Levels", BCP 14, RFC 2119, March 1997.
1252 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
1253 "Remote Authentication Dial In User Service (RADIUS)",
1254 RFC 2865, June 2000.
1256 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
1257 10646", STD 63, RFC 3629, November 2003.
1259 14.2. Informative References
1261 [HTML] Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01
1262 Specification, W3C", December 1999.
1264 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
1265 STD 9, RFC 959, October 1985.
1267 [RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD 33,
1268 RFC 1350, July 1992.
1270 [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
1271 Implementation in Roaming", RFC 2607, June 1999.
1273 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
1274 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
1275 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
1277 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
1279 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
1280 Architecture for Describing Simple Network Management
1281 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
1290 Nelson & Weber Standards Track [Page 23]
1292 RFC 5607 RADIUS NAS-Management Authorization July 2009
1295 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
1296 "Message Processing and Dispatching for the Simple Network
1297 Management Protocol (SNMP)", STD 62, RFC 3412,
1300 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
1301 Management Protocol (SNMP) Applications", STD 62,
1302 RFC 3413, December 2002.
1304 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
1305 (USM) for version 3 of the Simple Network Management
1306 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
1308 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
1309 Access Control Model (VACM) for the Simple Network
1310 Management Protocol (SNMP)", STD 62, RFC 3415,
1313 [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the
1314 Simple Network Management Protocol (SNMP)", STD 62,
1315 RFC 3416, December 2002.
1317 [RFC3417] Presuhn, R., "Transport Mappings for the Simple Network
1318 Management Protocol (SNMP)", STD 62, RFC 3417,
1321 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the
1322 Simple Network Management Protocol (SNMP)", STD 62,
1323 RFC 3418, December 2002.
1325 [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote
1326 Authentication Dial In User Service)", RFC 3575,
1329 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
1330 Dial In User Service) Support For Extensible
1331 Authentication Protocol (EAP)", RFC 3579, September 2003.
1333 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
1334 "IEEE 802.1X Remote Authentication Dial In User Service
1335 (RADIUS) Usage Guidelines", RFC 3580, September 2003.
1337 [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
1338 Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
1340 [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
1341 "Diameter Network Access Server Application", RFC 4005,
1346 Nelson & Weber Standards Track [Page 24]
1348 RFC 5607 RADIUS NAS-Management Authorization July 2009
1351 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
1352 Authentication Protocol (EAP) Application", RFC 4072,
1355 [RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741,
1358 [RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF
1359 Configuration Protocol over Secure SHell (SSH)", RFC 4742,
1362 [RFC4743] Goddard, T., "Using NETCONF over the Simple Object Access
1363 Protocol (SOAP)", RFC 4743, December 2006.
1365 [RFC4744] Lear, E. and K. Crozier, "Using the NETCONF Protocol over
1366 the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744,
1369 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
1370 Aboba, "Dynamic Authorization Extensions to Remote
1371 Authentication Dial In User Service (RADIUS)", RFC 5176,
1374 [SFTP] Galbraith, J. and O. Saarenmaa, "SSH File Transfer
1375 Protocol", Work in Progress, July 2006.
1377 [SSH] Barrett, D., Silverman, R., and R. Byrnes, "SSH, the
1378 Secure Shell: The Definitive Guide, Second Edition,
1379 O'Reilly and Associates", May 2005.
1384 Elbrys Networks, Inc.
1386 Portsmouth, NH 03801
1389 EMail: dnelson@elbrysnetworks.com
1393 Individual Contributor
1397 EMail: gdweber@gmail.com
1402 Nelson & Weber Standards Track [Page 25]