[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP Schema, CAs and RADIUS

>	O.K.,  I need  'back-office'  Authentication, Authorization and
>Accounting services for my Security Gateway.
>	I can do this today, with a few bits of sticky-tape, with RADIUS,
>but what is the future?
>	I can get Authorization by implementing LDAP and sucking down IPSEC
>VPN policies.
>	I can get Authentication using Certificates and implementing a bunch
>of protocols to check CRLs.
>	What do I do for Accounting?
>	Some folk use RADIUS to do address-download to remote clients, e.g.
>Intranet IP address pool management and 
>	name server address down-load (IKECFG stuff). A nice feature to
>centralize address pool management.

I agree that this is a generally useful freature, but having a RADIUS server
manage address pools is a hack to the RADIUS protocol. There have been 
proposals to extend the RADIUS protocol, and these were all turned down by the
WG chair since RADIUS is *not* a resource management protocol.

Therefore, if you want to do this, you certainly can, but not in any standard
(or reliable) fashion.

>	I guess name-server addresses could just about be added to the IPSEC
>VPN schema (reasonably static - you hope),
>	but I still need an answer for Accounting and Address Pool
>	Do we make the RADIUS server the meeting point for Legacy AAA, LDAP
>Policy, and CRLs?

So I would strongly recommend that you add any of your IPSEC/AAA requirements 
in the AAA WG.