[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP Schema, CAs and RADIUS

To: "Waters, Stephen" <Stephen.Waters@cabletron.com>, <ipsec@lists.tislabs.com>
Subject: Re: LDAP Schema, CAs and RADIUS
From: Pat.Calhoun@Eng.Sun.Com (Patrice Calhoun)
Date: Wed, 17 Mar 1999 10:17:27 -0800
Reply-To: <Pat.Calhoun@Eng.Sun.Com>
Sender: owner-ipsec@lists.tislabs.com


>
>	O.K.,  I need  'back-office'  Authentication, Authorization and
>Accounting services for my Security Gateway.
>
>	I can do this today, with a few bits of sticky-tape, with RADIUS,
>but what is the future?
>
>	I can get Authorization by implementing LDAP and sucking down IPSEC
>VPN policies.
>	I can get Authentication using Certificates and implementing a bunch
>of protocols to check CRLs.
>
>	What do I do for Accounting?
>
>	Some folk use RADIUS to do address-download to remote clients, e.g.
>Intranet IP address pool management and 
>	name server address down-load (IKECFG stuff). A nice feature to
>centralize address pool management.

I agree that this is a generally useful freature, but having a RADIUS server
manage address pools is a hack to the RADIUS protocol. There have been 
proposals to extend the RADIUS protocol, and these were all turned down by the
WG chair since RADIUS is *not* a resource management protocol.

Therefore, if you want to do this, you certainly can, but not in any standard
(or reliable) fashion.

>
>	I guess name-server addresses could just about be added to the IPSEC
>VPN schema (reasonably static - you hope),
>	but I still need an answer for Accounting and Address Pool
>Management.
>
>	Do we make the RADIUS server the meeting point for Legacy AAA, LDAP
>Policy, and CRLs?
>

So I would strongly recommend that you add any of your IPSEC/AAA requirements 
in the AAA WG.

PatC

Prev by Date: LDAP Schema, CAs and RADIUS
Next by Date: Re: The world according to MCR
Prev by thread: Re: LDAP Schema, CAs and RADIUS
Next by thread: Configuration of mobile users
Index(es):
- Main
- Thread