[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAP Schema, CAs and RADIUS
>
> O.K., I need 'back-office' Authentication, Authorization and
>Accounting services for my Security Gateway.
>
> I can do this today, with a few bits of sticky-tape, with RADIUS,
>but what is the future?
>
> I can get Authorization by implementing LDAP and sucking down IPSEC
>VPN policies.
> I can get Authentication using Certificates and implementing a bunch
>of protocols to check CRLs.
>
> What do I do for Accounting?
>
> Some folk use RADIUS to do address-download to remote clients, e.g.
>Intranet IP address pool management and
> name server address down-load (IKECFG stuff). A nice feature to
>centralize address pool management.
I agree that this is a generally useful freature, but having a RADIUS server
manage address pools is a hack to the RADIUS protocol. There have been
proposals to extend the RADIUS protocol, and these were all turned down by the
WG chair since RADIUS is *not* a resource management protocol.
Therefore, if you want to do this, you certainly can, but not in any standard
(or reliable) fashion.
>
> I guess name-server addresses could just about be added to the IPSEC
>VPN schema (reasonably static - you hope),
> but I still need an answer for Accounting and Address Pool
>Management.
>
> Do we make the RADIUS server the meeting point for Legacy AAA, LDAP
>Policy, and CRLs?
>
So I would strongly recommend that you add any of your IPSEC/AAA requirements
in the AAA WG.
PatC