Network Working Group D. Nelson
Request for Comments: 5607 Elbrys Networks, Inc.
Category: Standards Track G. Weber
Individual Contributor
July 2009
Network Working Group D. Nelson
Request for Comments: 5607 Elbrys Networks, Inc.
Category: Standards Track G. Weber
Individual Contributor
July 2009
Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management
网络访问服务器(NAS)管理的远程身份验证拨入用户服务(RADIUS)授权
Abstract
摘要
This document specifies Remote Authentication Dial-In User Service (RADIUS) attributes for authorizing management access to a Network Access Server (NAS). Both local and remote management are supported, with granular access rights and management privileges. Specific provisions are made for remote management via Framed Management protocols and for management access over a secure transport protocol.
本文档指定了远程身份验证拨入用户服务(RADIUS)属性,用于授权对网络访问服务器(NAS)的管理访问。本地和远程管理均受支持,具有细粒度访问权限和管理权限。对通过框架管理协议进行远程管理和通过安全传输协议进行管理访问作出了具体规定。
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托在本文件出版之日生效的与IETF文件有关的法律规定的约束(http://trustee.ietf.org/license-info). 请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,其衍生作品可能会
not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
不得在IETF标准流程之外创建,除非将其格式化以RFC形式发布,或将其翻译成英语以外的语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Domain of Applicability . . . . . . . . . . . . . . . . . . . 5
5. New Values for Existing RADIUS Attributes . . . . . . . . . . 6
5.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . .6
6. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 6
6.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 6
6.2. Management-Transport-Protection . . . . . . . . . . . . . 9
6.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
6.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 13
7. Use with Dynamic Authorization . . . . . . . . . . . . . . . . 15
8. Examples of Attribute Groupings . . . . . . . . . . . . . . . 15
9. Diameter Translation Considerations . . . . . . . . . . . . . 17
10. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 18
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
12. Security Considerations . . . . . . . . . . . . . . . . . . . 20
12.1. General Considerations . . . . . . . . . . . . . . . . . . 20
12.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 22
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
14.1. Normative References . . . . . . . . . . . . . . . . . . . 23
14.2. Informative References . . . . . . . . . . . . . . . . . . 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Domain of Applicability . . . . . . . . . . . . . . . . . . . 5
5. New Values for Existing RADIUS Attributes . . . . . . . . . . 6
5.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . .6
6. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 6
6.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 6
6.2. Management-Transport-Protection . . . . . . . . . . . . . 9
6.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
6.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 13
7. Use with Dynamic Authorization . . . . . . . . . . . . . . . . 15
8. Examples of Attribute Groupings . . . . . . . . . . . . . . . 15
9. Diameter Translation Considerations . . . . . . . . . . . . . 17
10. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 18
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
12. Security Considerations . . . . . . . . . . . . . . . . . . . 20
12.1. General Considerations . . . . . . . . . . . . . . . . . . 20
12.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 22
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
14.1. Normative References . . . . . . . . . . . . . . . . . . . 23
14.2. Informative References . . . . . . . . . . . . . . . . . . 23
RFC 2865 [RFC2865] defines the NAS-Prompt (7) and Administrative (6) values of the Service-Type (6) Attribute. Both of these values provide access to the interactive, text-based Command Line Interface (CLI) of the NAS, and were originally developed to control access to the physical console port of the NAS, most often a serial port.
RFC 2865[RFC2865]定义服务类型(6)属性的NAS提示(7)和管理(6)值。这两个值都提供了对NAS的交互式、基于文本的命令行界面(CLI)的访问,最初的开发目的是控制对NAS的物理控制台端口(通常是串行端口)的访问。
Remote access to the CLI of the NAS has been available in NAS implementations for many years, using protocols such as Telnet, Rlogin, and the remote terminal service of the Secure SHell (SSH). In order to distinguish local, physical, console access from remote access, the NAS-Port-Type (61) Attribute is generally included in Access-Request and Access-Accept messages, along with the Service-Type (6) Attribute, to indicate the form of access. A NAS-Port-Type (61) Attribute with a value of Async (0) is used to signify a local serial port connection, while a value of Virtual (5) is used to signify a remote connection, via a remote terminal protocol. This usage provides no selectivity among the various available remote terminal protocols (e.g., Telnet, Rlogin, SSH, etc.).
多年来,NAS实施中已经提供了对NAS CLI的远程访问,使用诸如Telnet、Rlogin和Secure SHell(SSH)的远程终端服务等协议。为了区分本地、物理、控制台访问和远程访问,NAS端口类型(61)属性通常与服务类型(6)属性一起包含在访问请求和访问接受消息中,以指示访问的形式。值为Async(0)的NAS端口类型(61)属性用于表示本地串行端口连接,而值为Virtual(5)用于表示通过远程终端协议的远程连接。这种用法在各种可用的远程终端协议(例如Telnet、Rlogin、SSH等)之间没有选择性。
Today, it is common for network devices to support more than the two privilege levels for management access provided by the Service-Type (6) Attribute with values of NAS-Prompt (7) (non-privileged) and Administrative (6) (privileged). Also, other management mechanisms may be used, such as Web-based management, the Simple Network Management Protocol (SNMP), and the Network Configuration Protocol (NETCONF). To provide support for these additional features, this specification defines attributes for Framed Management protocols, management protocol security, and management access privilege levels.
如今,网络设备通常支持由服务类型(6)属性提供的两个以上的管理访问特权级别,其值为NAS提示符(7)(非特权)和管理(6)(特权)。此外,还可以使用其他管理机制,例如基于Web的管理、简单网络管理协议(SNMP)和网络配置协议(NETCONF)。为了支持这些附加功能,本规范定义了框架管理协议、管理协议安全性和管理访问权限级别的属性。
Remote management via the command line is carried over protocols such as Telnet, Rlogin, and the remote terminal service of SSH. Since these protocols are primarily for the delivery of terminal or terminal emulation services, the term "Framed Management" is used to describe management protocols supporting techniques other than the command line. Typically, these mechanisms format management information in a binary or textual encoding such as HTML, XML, or ASN.1/BER. Examples include Web-based management (HTML over HTTP or HTTPS), NETCONF (XML over SSH or BEEP or SOAP), and SNMP (SMI over ASN.1/BER). Command line interface, menu interface, or other text-based (e.g., ASCII or UTF-8) terminal emulation services are not considered to be Framed Management protocols.
通过命令行进行的远程管理通过Telnet、Rlogin和SSH的远程终端服务等协议进行。由于这些协议主要用于提供终端或终端仿真服务,因此术语“框架管理”用于描述支持命令行以外的技术的管理协议。通常,这些机制将管理信息格式化为二进制或文本编码,如HTML、XML或ASN.1/BER。示例包括基于Web的管理(HTTP或HTTPS上的HTML)、NETCONF(SSH或BEEP或SOAP上的XML)和SNMP(ASN.1/BER上的SMI)。命令行界面、菜单界面或其他基于文本(如ASCII或UTF-8)的终端仿真服务不被视为框架管理协议。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
This document uses terminology from RFC 2865 [RFC2865], RFC 2866 [RFC2866], and RFC 5176 [RFC5176].
本文件使用RFC 2865[RFC2865]、RFC 2866[RFC2866]和RFC 5176[RFC5176]中的术语。
The term "integrity protection", as used in this document, is *not* the same as "authentication", as used in SNMP. Integrity protection requires the sharing of cryptographic keys, but it does not require authenticated principals. Integrity protection could be used, for example, with anonymous Diffie-Hellman key agreement. In SNMP, the proof of identity of the principals (authentication) is conflated with tamper-resistance of the protected messages (integrity). In this document, we assume that integrity protection and authentication are separate concerns. Authentication is part of the base RADIUS protocol.
本文档中使用的术语“完整性保护”与SNMP中使用的“身份验证”不同。完整性保护需要共享加密密钥,但不需要经过身份验证的主体。例如,完整性保护可以与匿名Diffie-Hellman密钥协议一起使用。在SNMP中,主体的身份证明(身份验证)与受保护消息的抗篡改性(完整性)相结合。在本文档中,我们假设完整性保护和身份验证是独立的关注点。身份验证是基本RADIUS协议的一部分。
SNMP uses the terms "auth" and "noAuth", as well as "priv" and "noPriv". There is no analog to auth or noAuth in this document. In this document, we are assuming that authentication always occurs when it is required, i.e., as a prerequisite to provisioning of access via an Access-Accept packet.
SNMP使用术语“auth”和“noAuth”,以及“priv”和“noPriv”。本文档中没有类似于auth或noAuth的内容。在本文档中,我们假设身份验证总是在需要时发生,即,作为通过访问接受数据包提供访问的先决条件。
To support the authorization and provisioning of Framed Management access to managed entities, this document introduces a new value for the Service-Type (6) Attribute [RFC2865] and one new attribute. The new value for the Service-Type (6) Attribute is Framed-Management (18), used for remote device management via a Framed Management protocol. The new attribute is Framed-Management-Protocol (133), the value of which specifies a particular protocol for use in the remote management session.
为了支持对受管实体的框架管理访问权限的授权和设置,本文档为服务类型(6)属性[RFC2865]引入了一个新值和一个新属性。服务类型(6)属性的新值是框架管理(18),用于通过框架管理协议进行远程设备管理。新属性是Framed Management Protocol(133),其值指定在远程管理会话中使用的特定协议。
Two new attributes are introduced in this document in support of granular management access rights or command privilege levels. The Management-Policy-Id (135) Attribute provides a text string specifying a policy name of local scope, that is assumed to have been pre-provisioned on the NAS. This use of an attribute to specify use of a pre-provisioned policy is similar to the Filter-Id (11) Attribute defined in [RFC2865] Section 5.11.
本文档中引入了两个新属性,以支持粒度管理访问权限或命令特权级别。管理策略Id(135)属性提供一个文本字符串,指定本地作用域的策略名称,该名称假定已在NAS上预先设置。使用属性来指定预配置策略的使用类似于[RFC2865]第5.11节中定义的过滤器Id(11)属性。
The local application of the Management-Policy-Id (135) Attribute within the managed entity may take the form of (a) one of an enumeration of command privilege levels, (b) a mapping into an SNMP
管理策略Id(135)属性在被管理实体内的本地应用可以采取以下形式:(a)命令特权级别枚举之一,(b)到SNMP的映射
Access Control Model, such as the View-Based Access Control Model (VACM) [RFC3415], or (c) some other set of management access policy rules that is mutually understood by the managed entity and the remote management application. Examples are given in Section 8.
访问控制模型,例如基于视图的访问控制模型(VACM)[RFC3415],或(c)被管理实体和远程管理应用程序相互理解的一些其他管理访问策略规则集。第8节给出了示例。
The Management-Privilege-Level (136) Attribute contains an integer-valued management privilege level indication. This attribute serves to modify or augment the management permissions provided by the NAS-Prompt (7) value of the Service-Type (6) Attribute, and thus applies to CLI management.
管理特权级别(136)属性包含整数值管理特权级别指示。此属性用于修改或增强服务类型(6)属性的NAS提示符(7)值提供的管理权限,因此适用于CLI管理。
To enable management security requirements to be specified, the Management-Transport-Protection (134) Attribute is introduced. The value of this attribute indicates the minimum level of secure transport protocol protection required for the provisioning of NAS-Prompt (7), Administrative (6), or Framed-Management (18) service.
为了能够指定管理安全要求,引入了管理传输保护(134)属性。此属性的值表示提供NAS提示符(7)、管理(6)或框架管理(18)服务所需的最低安全传输协议保护级别。
Most of the RADIUS attributes defined in this document have broad applicability for provisioning local and remote management access to NAS devices. However, those attributes that provision remote access over Framed Management protocols and over secure transports have special considerations. This document does not specify the details of the integration of these protocols with a RADIUS client in the NAS implementation. However, there are functional requirements for correct application of Framed Management protocols and/or secure transport protocols that will limit the selection of such protocols that can be considered for use with RADIUS. Since the RADIUS user credentials are typically obtained by the RADIUS client from the secure transport protocol server or the Framed Management protocol server, the protocol, and its implementation in the NAS, MUST support forms of credentials that are compatible with the authentication methods supported by RADIUS.
本文档中定义的大多数RADIUS属性广泛适用于为NAS设备提供本地和远程管理访问。然而,那些通过框架管理协议和安全传输提供远程访问的属性有特殊的考虑。本文档未详细说明这些协议与NAS实施中的RADIUS客户端的集成。但是,正确应用框架管理协议和/或安全传输协议有一些功能要求,这将限制可考虑与RADIUS一起使用的此类协议的选择。由于RADIUS用户凭据通常由RADIUS客户端从安全传输协议服务器或框架管理协议服务器获取,因此协议及其在NAS中的实现必须支持与RADIUS支持的身份验证方法兼容的凭据形式。
RADIUS currently supports the following user authentication methods, although others may be added in the future:
RADIUS目前支持以下用户身份验证方法,但将来可能会添加其他方法:
o Password - RFC 2865
o 密码-RFC2865
o CHAP (Challenge Handshake Authentication Protocol) - RFC 2865
o CHAP(质询握手认证协议)-RFC 2865
o ARAP (Apple Remote Access Protocol) - RFC 2869
o ARAP(苹果远程访问协议)-RFC 2869
o EAP (Extensible Authentication Protocol) - RFC 2869, RFC 3579
o EAP(可扩展身份验证协议)-RFC 2869,RFC 3579
o HTTP Digest - RFC 5090
o HTTP摘要-rfc5090
The remote management protocols selected for use with the RADIUS remote NAS management sessions, for example, those described in Section 6.1, and the secure transport protocols selected to meet the protection requirements, as described in Section 6.2, obviously need to support user authentication methods that are compatible with those that exist in RADIUS. The RADIUS authentication methods most likely usable with these protocols are Password, CHAP, and possibly HTTP Digest, with Password being the distinct common denominator. There are many secure transports that support other, more robust, authentication mechanisms, such as public key. RADIUS has no support for public key authentication, except within the context of an EAP Method. The applicability statement for EAP indicates that it is not intended for use as an application-layer authentication mechanism, so its use with the mechanisms described in this document is NOT RECOMMENDED. In some cases, Password may be the only compatible RADIUS authentication method available.
选择用于RADIUS远程NAS管理会话的远程管理协议,如第6.1节所述,以及选择用于满足保护要求的安全传输协议,如第6.2节所述,显然,我们需要支持与RADIUS中的用户身份验证方法兼容的用户身份验证方法。这些协议最有可能使用的RADIUS身份验证方法是密码、CHAP,可能还有HTTP摘要,其中密码是不同的公分母。有许多安全传输支持其他更健壮的身份验证机制,如公钥。RADIUS不支持公钥身份验证,除非在EAP方法的上下文中。EAP的适用性声明表明,它不打算用作应用层身份验证机制,因此不建议将其与本文档中描述的机制一起使用。在某些情况下,密码可能是唯一可用的兼容RADIUS身份验证方法。
The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865 [RFC2865]. This document defines a new value of the Service-Type Attribute, as follows:
RFC 2865[RFC2865]第5.6节定义了服务类型(6)属性。本文档定义了服务类型属性的新值,如下所示:
18 Framed-Management
18框架管理
The semantics of the Framed-Management service are as follows:
框架管理服务的语义如下所示:
Framed-Management A Framed Management protocol session should be started on the NAS.
框架管理应在NAS上启动框架管理协议会话。
This document defines four new RADIUS attributes related to management authorization.
本文档定义了与管理授权相关的四个新RADIUS属性。
The Framed-Management-Protocol (133) Attribute indicates the application-layer management protocol to be used for Framed Management access. It MAY be used in both Access-Request and Access-Accept packets. This attribute is used in conjunction with a Service-Type (6) Attribute with the value of Framed-Management (18).
框架管理协议(133)属性表示用于框架管理访问的应用层管理协议。它可以用于访问请求和访问接受数据包。该属性与值为Framed Management(18)的服务类型(6)属性结合使用。
It is RECOMMENDED that the NAS include an appropriately valued Framed-Management-Protocol (133) Attribute in an Access-Request packet, indicating the type of management access being requested. It
建议NAS在访问请求数据包中包含一个具有适当值的框架管理协议(133)属性,该属性指示所请求的管理访问的类型。信息技术
is further RECOMMENDED that the NAS include a Service-Type (6) Attribute with the value Framed-Management (18) in the same Access-Request packet. The RADIUS server MAY use these attributes as a hint in making its authorization decision.
进一步建议NAS在同一接入请求分组中包括具有值框管理(18)的服务类型(6)属性。RADIUS服务器可以使用这些属性作为做出授权决策的提示。
The RADIUS server MAY include a Framed-Management-Protocol (133) Attribute in an Access-Accept packet that also includes a Service-Type (6) Attribute with a value of Framed-Management (18), when the RADIUS server chooses to enforce a management access policy for the authenticated user that dictates one form of management access in preference to others.
RADIUS服务器可以在接入接受分组中包括帧管理协议(133)属性,该接入接受分组还包括具有帧管理(18)值的服务类型(6)属性,当RADIUS服务器选择为经过身份验证的用户强制执行管理访问策略时,该策略优先于其他形式的管理访问。
When a NAS receives a Framed-Management-Protocol (133) Attribute in an Access-Accept packet, it MUST deliver that specified form of management access or disconnect the session. If the NAS does not support the provisioned management application-layer protocol, or the management access protocol requested by the user does not match that of the Framed-Management-Protocol (133) Attribute in the Access-Accept packet, the NAS MUST treat the Access-Accept packet as if it had been an Access-Reject.
当NAS在访问接受数据包中接收到框架管理协议(133)属性时,它必须提供指定形式的管理访问或断开会话。如果NAS不支持配置的管理应用层协议,或者用户请求的管理访问协议与访问接受数据包中的框架管理协议(133)属性不匹配,NAS必须将访问接受数据包视为访问拒绝。
A summary of the Framed-Management-Protocol (133) Attribute format is shown below. The fields are transmitted from left to right.
框架管理协议(133)属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
133 for Framed-Management-Protocol.
133帧管理协议。
Length
长
6
6.
Value
价值
The Value field is a four-octet enumerated value.
值字段是一个四个八位字节的枚举值。
1 SNMP 2 Web-based 3 NETCONF 4 FTP 5 TFTP 6 SFTP 7 RCP 8 SCP
1 SNMP 2基于Web的3 NETCONF 4 FTP 5 TFTP 6 SFTP 7 RCP 8 SCP
All other values are reserved for IANA allocation subject to the provisions of Section 11.
根据第11节的规定,所有其他值保留给IANA分配。
The acronyms used in the above table expand as follows:
上表中使用的首字母缩略词扩展如下:
o SNMP: Simple Network Management Protocol [RFC3411], [RFC3412], [RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418].
o SNMP:简单网络管理协议[RFC3411]、[RFC3412]、[RFC3413]、[RFC3414]、[RFC3415]、[RFC3416]、[RFC3417]、[RFC3418]。
o Web-based: Use of an embedded web server in the NAS for management via a generic web browser client. The interface presented to the administrator may be graphical, tabular, or textual. The protocol is HTML over HTTP. The protocol may optionally be HTML over HTTPS, i.e., using HTTP over TLS [HTML] [RFC2616].
o 基于Web:使用NAS中的嵌入式Web服务器,通过通用Web浏览器客户端进行管理。呈现给管理员的界面可以是图形、表格或文本。协议是HTTP上的HTML。协议可以可选地是HTTPS上的HTML,即使用TLS上的HTTP[HTML][RFC2616]。
o NETCONF: Management via the NETCONF protocol using XML over supported transports (e.g., SSH, BEEP, SOAP). As secure transport profiles are defined for NETCONF, the list of transport options may expand [RFC4741], [RFC4742], [RFC4743], [RFC4744].
o NETCONF:通过NETCONF协议通过支持的传输(例如SSH、BEEP、SOAP)使用XML进行管理。由于为NETCONF定义了安全传输配置文件,传输选项列表可能会展开[RFC4741]、[RFC4742]、[RFC4743]、[RFC4744]。
o FTP: File Transfer Protocol, used to transfer configuration files to and from the NAS [RFC0959].
o FTP:文件传输协议,用于在NAS之间传输配置文件[RFC0959]。
o TFTP: Trivial File Transfer Protocol, used to transfer configuration files to and from the NAS [RFC1350].
o TFTP:普通文件传输协议,用于在NAS之间传输配置文件[RFC1350]。
o SFTP: SSH File Transfer Protocol, used to securely transfer configuration files to and from the NAS. SFTP uses the services of SSH [SFTP]. See also Section 3.7, "SSH and File Transfers" of [SSH]. Additional information on the "sftp" program may typically be found in the online documentation ("man" pages) of Unix systems.
o SFTP:SSH文件传输协议,用于在NAS之间安全地传输配置文件。SFTP使用SSH[SFTP]的服务。另请参见[SSH]第3.7节“SSH和文件传输”。有关“sftp”程序的其他信息通常可以在Unix系统的联机文档(“手册”页)中找到。
o RCP: Remote CoPy file copy utility (Unix-based), used to transfer configuration files to and from the NAS. See Section 3.7, "SSH and File Transfers", of [SSH]. Additional information on the "rcp" program may typically be found in the online documentation ("man" pages) of Unix systems.
o RCP:远程复制文件复制实用程序(基于Unix),用于在NAS之间传输配置文件。参见[SSH]第3.7节“SSH和文件传输”。有关“rcp”程序的其他信息通常可以在Unix系统的联机文档(“手册”页)中找到。
o SCP: Secure CoPy file copy utility (Unix-based), used to transfer configuration files to and from the NAS. The "scp" program is a simple wrapper around SSH. It's basically a patched BSD Unix "rcp", which uses ssh to do the data transfer (instead of using "rcmd"). See Section 3.7, "SSH and File Transfers", of [SSH]. Additional information on the "scp" program may typically be found in the online documentation ("man" pages) of Unix systems.
o SCP:Secure CoPy file CoPy utility(基于Unix),用于在NAS之间传输配置文件。“scp”程序是SSH的简单包装器。它基本上是一个经过修补的BSD Unix“rcp”,它使用ssh进行数据传输(而不是使用“rcmd”)。参见[SSH]第3.7节“SSH和文件传输”。有关“scp”程序的其他信息通常可以在Unix系统的联机文档(“手册”页)中找到。
The Management-Transport-Protection (134) Attribute specifies the minimum level of protection that is required for a protected transport used with the Framed or non-Framed Management access session. The protected transport used by the NAS MAY provide a greater level of protection, but MUST NOT provide a lower level of protection.
Management Transport Protection(134)属性指定与框架或非框架管理访问会话一起使用的受保护传输所需的最低保护级别。NAS使用的受保护传输可以提供更高级别的保护,但不能提供更低级别的保护。
When a secure form of non-Framed Management access is specified, it means that the remote terminal session is encapsulated in some form of protected transport, or tunnel. It may also mean that an explicit secure mode of operation is required, when the Framed Management protocol contains an intrinsic secure mode of operation. The Management-Transport-Protection (134) Attribute does not apply to CLI access via a local serial port, or other non-remote connection.
当指定非框架管理访问的安全形式时,这意味着远程终端会话被封装在某种形式的受保护传输或隧道中。这也可能意味着,当框架管理协议包含内在安全操作模式时,需要显式安全操作模式。管理传输保护(134)属性不适用于通过本地串行端口或其他非远程连接进行的CLI访问。
When a secure form of Framed Management access is specified, it means that the application-layer management protocol is encapsulated in some form of protected transport, or tunnel. It may also mean that an explicit secure mode of operation is required, when the Framed Management protocol contains an intrinsic secure mode of operation.
当指定安全形式的框架管理访问时,这意味着应用层管理协议被封装在某种形式的受保护传输或隧道中。这也可能意味着,当框架管理协议包含内在安全操作模式时,需要显式安全操作模式。
A value of "No Protection (1)" indicates that a secure transport protocol is not required, and that the NAS SHOULD accept a connection over any transport associated with the application-layer management protocol. The definitions of management application to transport bindings are defined in the relevant documents that specify those management application protocols. The same "No Protection" semantics are conveyed by omitting this attribute from an Access-Accept packet.
值“No Protection(1)”表示不需要安全传输协议,NAS应通过与应用层管理协议关联的任何传输接受连接。管理应用程序到传输绑定的定义在指定这些管理应用程序协议的相关文档中定义。通过从访问-接受数据包中省略此属性,可以传达相同的“无保护”语义。
Specific protected transport protocols, cipher suites, key agreement methods, or authentication methods are not specified by this attribute. Such provisioning is beyond the scope of this document.
此属性未指定特定的受保护传输协议、密码套件、密钥协商方法或身份验证方法。此类供应超出了本文档的范围。
It is RECOMMENDED that the NAS include an appropriately valued Management-Transport-Protection (134) Attribute in an Access-Request packet, indicating the level of transport protection for the management access being requested, when that information is available to the RADIUS client. The RADIUS server MAY use this attribute as a hint in making its authorization decision.
建议NAS在访问请求数据包中包含适当值的管理传输保护(134)属性,当RADIUS客户端可以使用该信息时,该属性指示所请求的管理访问的传输保护级别。RADIUS服务器在做出授权决策时可以使用此属性作为提示。
The RADIUS server MAY include a Management-Transport-Protection (134) Attribute in an Access-Accept packet that also includes a Service-Type (6) Attribute with a value of Framed-Management (18), when the RADIUS server chooses to enforce a management access security policy for the authenticated user that dictates a minimum level of transport security.
RADIUS服务器可以在接入接受分组中包括管理传输保护(134)属性,该接入接受分组还包括具有帧管理(18)值的服务类型(6)属性,当RADIUS服务器选择为经过身份验证的用户强制执行管理访问安全策略时,该策略规定了最低传输安全级别。
When a NAS receives a Management-Transport-Protection (134) Attribute in an Access-Accept packet, it MUST deliver the management access over a transport with equal or better protection characteristics or disconnect the session. If the NAS does not support protected management transport protocols, or the level of protection available does not match that of the Management-Transport-Protection (134) Attribute in the Access-Accept packet, the NAS MUST treat the response packet as if it had been an Access-Reject.
当NAS在访问接受数据包中接收到管理传输保护(134)属性时,它必须通过具有相同或更好保护特性的传输交付管理访问,或者断开会话。如果NAS不支持受保护的管理传输协议,或者可用的保护级别与访问接受数据包中的管理传输保护(134)属性不匹配,则NAS必须将响应数据包视为访问拒绝。
A summary of the Management-Transport-Protection (134) Attribute format is shown below. The fields are transmitted from left to right.
管理传输保护(134)属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
134 for Management-Transport-Protection.
134管理和运输保护。
Length
长
6
6.
Value
价值
The Value field is a four-octet enumerated value.
值字段是一个四个八位字节的枚举值。
1 No-Protection 2 Integrity-Protection 3 Integrity-Confidentiality-Protection
1无保护2完整性保护3完整性保密保护
All other values are reserved for IANA allocation subject to the provisions of Section 11.
根据第11节的规定,所有其他值保留给IANA分配。
The names used in the above table are elaborated as follows:
上表中使用的名称详述如下:
o No-Protection: No transport protection is required. Accept connections via any supported transport.
o 无保护:无需运输保护。通过任何支持的传输接受连接。
o Integrity-Protection: The management transport MUST provide Integrity Protection, i.e., protection from unauthorized modification, using a cryptographic checksum.
o 完整性保护:管理传输必须提供完整性保护,即使用加密校验和防止未经授权的修改。
o Integrity-Confidentiality-Protection: The management transport MUST provide both Integrity Protection and Confidentiality Protection, i.e., protection from unauthorized modification, using a cryptographic checksum, and protection from unauthorized disclosure, using encryption.
o 完整性保密保护:管理传输必须同时提供完整性保护和保密性保护,即使用加密校验和防止未经授权的修改,以及使用加密防止未经授权的泄露。
The configuration or negotiation of acceptable algorithms, modes, and credentials for the cryptographic protection mechanisms used in implementing protected management transports is outside the scope of this document. Many such mechanisms have standardized methods of configuration and key management.
用于实现受保护管理传输的加密保护机制的可接受算法、模式和凭据的配置或协商不在本文档的范围内。许多这样的机制具有标准化的配置和密钥管理方法。
The Management-Policy-Id (135) Attribute indicates the name of the management access policy for this user. Zero or one Management-Policy-Id (135) Attributes MAY be sent in an Access-Accept packet. Identifying a policy by name allows the policy to be used on different NASes without regard to implementation details.
管理策略Id(135)属性指示此用户的管理访问策略的名称。可以在接入接受分组中发送零个或一个管理策略Id(135)属性。通过名称标识策略,可以在不同的NASE上使用该策略,而不考虑实现细节。
Multiple forms of management access rules may be expressed by the underlying named policy, the definition of which is beyond the scope of this document. The management access policy MAY be applied contextually, based on the nature of the management access method. For example, some named policies may only be valid for application to NAS-Prompt (7) services and some other policies may only be valid for SNMP.
基础命名策略可以表示多种形式的管理访问规则,其定义超出了本文档的范围。管理访问策略可以基于管理访问方法的性质在上下文中应用。例如,某些命名策略可能仅对NAS Prompt(7)服务的应用程序有效,而某些其他策略可能仅对SNMP有效。
The management access policy named in this attribute, received in an Access-Accept packet, MUST be applied to the session authorized by the Access-Accept. If the NAS supports this attribute, but the policy name is unknown, or if the RADIUS client is able to determine that the policy rules are incorrectly formatted, the NAS MUST treat the Access-Accept packet as if it had been an Access-Reject.
此属性中命名的管理访问策略(在access Accept数据包中接收)必须应用于access Accept授权的会话。如果NAS支持此属性,但策略名称未知,或者如果RADIUS客户端能够确定策略规则的格式不正确,则NAS必须将访问接受数据包视为访问拒绝。
No precedence relationship is defined for multiple occurrences of the Management-Policy-Id (135) Attribute. NAS behavior in such cases is undefined. Therefore, two or more occurrences of this attribute SHOULD NOT be included in an Access-Accept or CoA-Request (Change-of-Authorization). In the absence of further specification defining some sort of precedence relationship, it is not possible to guarantee multi-vendor interoperability when using multiple instances of this attribute in a single Access-Accept or CoA-Request packet.
没有为多次出现的管理策略Id(135)属性定义优先级关系。这种情况下的NAS行为尚未定义。因此,访问接受或CoA请求(授权变更)中不应包含该属性的两次或多次出现。在没有定义某种优先关系的进一步规范的情况下,当在单个Access Accept或CoA请求数据包中使用此属性的多个实例时,不可能保证多供应商的互操作性。
The content of the Management-Policy-Id (135) Attribute is expected to be the name of a management access policy of local significance to the NAS, within a namespace of significance to the NAS. In this regard, the behavior is similar to that for the Filter-Id (11) Attribute. The policy names and rules are committed to the local configuration data-store of the NAS, and are provisioned by means beyond the scope of this document, such as via SNMP, NETCONF, or CLI.
管理策略Id(135)属性的内容应该是NAS本地重要的管理访问策略的名称,位于NAS重要的命名空间内。在这方面,该行为类似于过滤器Id(11)属性的行为。策略名称和规则将提交到NAS的本地配置数据存储中,并通过超出本文档范围的方式(如通过SNMP、NETCONF或CLI)进行设置。
The namespace used in the Management-Policy-Id (135) Attribute is simple and monolithic. There is no explicit or implicit structure or hierarchy. For example, in the text string "example.com", the "." (period or dot) is just another character. It is expected that text string matching will be performed without parsing the text string into any sub-fields.
管理策略Id(135)属性中使用的名称空间简单且统一。没有显式或隐式的结构或层次结构。例如,在文本字符串“example.com”中,“.”(句点或点)只是另一个字符。预计将在不将文本字符串解析为任何子字段的情况下执行文本字符串匹配。
Overloading or subdividing this simple name with multi-part specifiers (e.g., Access=remote, Level=7) is likely to lead to poor multi-vendor interoperability and SHOULD NOT be utilized. If a simple, unstructured policy name is not sufficient, it is RECOMMENDED that a Vendor Specific (26) Attribute be used instead, rather than overloading the semantics of Management-Policy-Id.
使用多部分说明符(例如,Access=remote,Level=7)重载或细分此简单名称可能会导致多供应商互操作性差,因此不应使用。如果简单、非结构化的策略名称不够,建议使用特定于供应商的(26)属性,而不是重载Management-policy-Id的语义。
A summary of the Management-Policy-Id (135) Attribute format is shown below. The fields are transmitted from left to right.
管理策略Id(135)属性格式的摘要如下所示。字段从左向右传输。
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
135 for Management-Policy-Id.
135用于管理策略Id。
Length
长
>= 3
>= 3
Text
文本
The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and the contents MUST NOT be parsed by the receiver; the contents can only be used to look up locally defined policies. It is RECOMMENDED that the message contain UTF-8 encoded 10646 [RFC3629] characters.
文本字段是一个或多个八位字节,其内容取决于实现。其目的是让人可读,且接收者不得解析内容;这些内容只能用于查找本地定义的策略。建议消息包含UTF-8编码的10646[RFC3629]字符。
The Management-Privilege-Level (136) Attribute indicates the integer-valued privilege level to be assigned for management access for the authenticated user. Many NASes provide the notion of differentiated management privilege levels denoted by an integer value. The specific access rights conferred by each value are implementation dependent. It MAY be used in both Access-Request and Access-Accept packets.
Management Privilege Level(136)属性表示为经过身份验证的用户的管理访问分配的整数值特权级别。许多NASE提供了以整数值表示的差异化管理特权级别的概念。每个值授予的特定访问权限取决于实现。它可以用于访问请求和访问接受数据包。
The mapping of integer values for this attribute to specific collections of management access rights or permissions on the NAS is vendor and implementation specific. Such mapping is often a user-configurable feature. It's RECOMMENDED that greater numeric values imply greater privilege. However, it would be a mistake to assume that this recommendation always holds.
此属性的整数值与NAS上管理访问权限或权限的特定集合的映射取决于供应商和实施。这种映射通常是用户可配置的特性。建议数值越大表示权限越大。然而,如果认为这项建议始终有效,那将是一个错误。
The management access level indicated in this attribute, received in an Access-Accept packet, MUST be applied to the session authorized by the Access-Accept. If the NAS supports this attribute, but the privilege level is unknown, the NAS MUST treat the Access-Accept packet as if it had been an Access-Reject.
此属性中指示的管理访问级别(在访问接受数据包中接收)必须应用于访问接受授权的会话。如果NAS支持此属性,但特权级别未知,则NAS必须将访问接受数据包视为访问拒绝。
A summary of the Management-Privilege-Level (136) Attribute format is show below. The fields are transmitted from left to right.
管理特权级别(136)属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
136 for Management-Privilege-Level.
136用于管理特权级别。
Length
长
6
6.
Value
价值
The Value field is a four-octet Integer, denoting a management privilege level.
值字段是四个八位整数,表示管理权限级别。
It is RECOMMENDED to limit use of the Management-Privilege-Level (136) Attribute to sessions where the Service-Type (6) Attribute has a value of NAS-Prompt (7) (not Administrative). Typically, NASes treat NAS-Prompt as the minimal privilege CLI service and Administrative as full privilege. Using the Management-Privilege-Level (136) Attribute with a Service-Type (6) Attribute having a value of NAS-Prompt (7) will have the effect of increasing the minimum privilege level. Conversely, it is NOT RECOMMENDED to use this attribute with a Service-Type (6) Attribute with a value of Administrative (6), which may require decreasing the maximum privilege level.
建议将管理特权级别(136)属性的使用限制在服务类型(6)属性的值为NAS提示符(7)(非管理)的会话中。通常,NASE将NAS提示符视为最低权限CLI服务,将管理视为完全权限。将管理特权级别(136)属性与值为NAS提示符(7)的服务类型(6)属性一起使用将具有提高最低特权级别的效果。相反,不建议将此属性与值为Administrative(6)的服务类型(6)属性一起使用,这可能需要降低最大特权级别。
It is NOT RECOMMENDED to use the Management-Privilege-Level (136) Attribute in combination with a Management-Policy-Id (135) Attribute or for management access methods other than interactive CLI. The behavior resulting from such an overlay of management access control provisioning is not defined by this document, and in the absence of further specification, is likely to lead to unexpected behaviors, especially in multi-vendor environments.
不建议将管理权限级别(136)属性与管理策略Id(135)属性结合使用,也不建议将其用于交互CLI以外的管理访问方法。本文档未定义这种管理访问控制配置覆盖所导致的行为,并且在没有进一步规范的情况下,可能会导致意外行为,特别是在多供应商环境中。
It is entirely OPTIONAL for the NAS management authorization attributes specified in this document to be used in conjunction with Dynamic Authorization extensions to RADIUS [RFC5176]. When such usage occurs, those attributes MAY be used as listed in the Table of Attributes in Section 10.
本文档中指定的NAS管理授权属性与RADIUS的动态授权扩展一起使用是完全可选的[RFC5176]。当发生此类使用时,可使用第10节属性表中列出的属性。
Some guidance on how to identify existing management sessions on a NAS for the purposes of Dynamic Authorization is useful. The primary session identifiers SHOULD be User-Name (1) and Service-Type (6). To accommodate instances when that information alone does not uniquely identify a session, a NAS supporting Dynamic Authorization SHOULD maintain one or more internal session identifiers that can be represented as RADIUS attributes. Examples of such attributes include Acct-Session-Id (44), Acct-Multi-Session-Id (50), NAS-Port (5), or NAS-Port-Id (87). In the case of a remote management session, common identifier values might include things such as the remote IP address and remote TCP port number, or the file descriptor value for use with the open socket. Any such identifier is obviously transient in nature, and implementations SHOULD take care to avoid and/or properly handle duplicate or stale values.
有关如何识别NAS上现有的管理会话以进行动态授权的一些指导非常有用。主要会话标识符应该是用户名(1)和服务类型(6)。为适应仅此信息无法唯一标识会话的情况,支持动态授权的NAS应维护一个或多个内部会话标识符,这些标识符可表示为RADIUS属性。此类属性的示例包括Acct会话Id(44)、Acct多会话Id(50)、NAS端口(5)或NAS端口Id(87)。在远程管理会话的情况下,公共标识符值可能包括诸如远程IP地址和远程TCP端口号之类的内容,或者用于打开套接字的文件描述符值。任何这样的标识符在本质上都是暂时的,实现应该注意避免和/或正确处理重复或过时的值。
In order for the session identification attributes to be available to the Dynamic Authorization Client, a NAS supporting Dynamic Authorization for management sessions SHOULD include those session identification attributes in the Access-Request message for each such session. Additional discussion of session identification attribute usage may be found in Section 3 of [RFC5176].
为了使会话标识属性可用于动态授权客户端,支持管理会话动态授权的NAS应在每个此类会话的访问请求消息中包括这些会话标识属性。有关会话标识属性用法的更多讨论,请参见[RFC5176]的第3节。
1. Unprotected CLI access, via the local console, to the "super-user" access level:
1. 通过本地控制台对“超级用户”访问级别的无保护CLI访问:
* Service-Type (6) = Administrative (6)
* 服务类型(6)=管理(6)
* NAS-Port-Type (61) = Async (0)
* NAS端口类型(61)=异步(0)
* Management-Transport-Protection (134) = No-Protection (1)
* 管理传输保护(134)=无保护(1)
2. Unprotected CLI access, via a remote console, to the "super-user" access level:
2. 通过远程控制台对“超级用户”访问级别的无保护CLI访问:
* Service-Type (6) = Administrative (6)
* 服务类型(6)=管理(6)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Management-Transport-Protection (134) = No-Protection (1)
* 管理传输保护(134)=无保护(1)
3. CLI access, via a fully protected secure remote terminal service to the non-privileged user access level:
3. CLI访问,通过完全受保护的安全远程终端服务访问非特权用户访问级别:
* Service-Type (6) = NAS-Prompt (7)
* 服务类型(6)=NAS提示符(7)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Management-Transport-Protection (134) = Integrity-Confidentiality-Protection (3)
* 管理传输保护(134)=完整性保密保护(3)
4. CLI access, via a fully protected secure remote terminal service, to a custom management access level, defined by a policy:
4. CLI访问,通过完全受保护的安全远程终端服务,访问由策略定义的自定义管理访问级别:
* Service-Type (6) = NAS-Prompt (7)
* 服务类型(6)=NAS提示符(7)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Management-Transport-Protection (134) = Integrity-Confidentiality-Protection (3)
* 管理传输保护(134)=完整性保密保护(3)
* Management-Policy-Id (135) = "Network Administrator"
* 管理策略Id(135)=“网络管理员”
5. CLI access, via a fully protected secure remote terminal service, with a management privilege level of 15:
5. CLI访问,通过完全受保护的安全远程终端服务,管理权限级别为15:
* Service-Type (6) = NAS-Prompt (7)
* 服务类型(6)=NAS提示符(7)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Management-Transport-Protection (134) = Integrity-Confidentiality-Protection (3)
* 管理传输保护(134)=完整性保密保护(3)
* Management-Privilege-Level (136) = 15
* 管理权限级别(136)=15
6. SNMP access, using an Access Control Model specifier, such as a custom VACM View, defined by a policy:
6. SNMP访问,使用由策略定义的访问控制模型说明符(如自定义VACM视图):
* Service-Type (6) = Framed-Management (18)
* 服务类型(6)=框架管理(18)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Framed-Management-Protocol (133) = SNMP (1)
* 框架管理协议(133)=SNMP(1)
* Management-Policy-Id (135) = "SNMP Network Administrator View"
* 管理策略Id(135)=“SNMP网络管理员视图”
There is currently no standardized way of implementing this management policy mapping within SNMP. Such mechanisms are the topic of current research.
目前没有在SNMP中实现此管理策略映射的标准化方法。这种机制是当前研究的主题。
7. SNMP fully protected access:
7. SNMP完全保护访问:
* Service-Type (6) = Framed-Management (18)
* 服务类型(6)=框架管理(18)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Framed-Management-Protocol (133) = SNMP (1)
* 框架管理协议(133)=SNMP(1)
* Management-Transport-Protection (134) = Integrity-Confidentiality-Protection (3)
* 管理传输保护(134)=完整性保密保护(3)
8. Web (HTTP/HTML) access:
8. Web(HTTP/HTML)访问:
* Service-Type (6) = Framed-Management (18)
* 服务类型(6)=框架管理(18)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Framed-Management-Protocol (133) = Web-based (2)
* 框架管理协议(133)=基于Web的(2)
9. Secure web access, using a custom management access level, defined by a policy:
9. 使用由策略定义的自定义管理访问级别保护web访问:
* Service-Type (6) = Framed-Management (18)
* 服务类型(6)=框架管理(18)
* NAS-Port-Type (61) = Virtual (5)
* NAS端口类型(61)=虚拟(5)
* Framed-Management-Protocol (133) = Web-based (2)
* 框架管理协议(133)=基于Web的(2)
* Management-Transport-Protection (134) = Integrity-Confidentiality-Protection (3)
* 管理传输保护(134)=完整性保密保护(3)
* Management-Policy-Id (135) = "Read-only web access"
* 管理策略Id(135)=“只读web访问”
When used in Diameter, the attributes defined in this specification can be used as Diameter attribute-value pairs (AVPs) from the Code space 1-255 (RADIUS attribute compatibility space). No additional Diameter Code values are therefore allocated. The data types and flag rules for the attributes are as follows:
在直径中使用时,本规范中定义的属性可以用作代码空间1-255(半径属性兼容性空间)中的直径属性值对(AVP)。因此,不分配其他直径代码值。属性的数据类型和标记规则如下所示:
+---------------------+
| AVP Flag rules |
|----+-----+----+-----|----+
| | SHOULD MUST| |
Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr|
---------------------------------|----+-----+----+-----|----|
Service-Type | | | | | |
Enumerated | M | P | | V | Y |
Framed-Management-Protocol | | | | | |
Enumerated | M | P | | V | Y |
Management-Transport-Protection | | | | | |
Enumerated | M | P | | V | Y |
Management-Policy-Id | | | | | |
UTF8String | M | P | | V | Y |
Management-Privilege-Level | | | | | |
Integer | M | P | | V | Y |
---------------------------------|----+-----+----+-----|----|
+---------------------+
| AVP Flag rules |
|----+-----+----+-----|----+
| | SHOULD MUST| |
Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr|
---------------------------------|----+-----+----+-----|----|
Service-Type | | | | | |
Enumerated | M | P | | V | Y |
Framed-Management-Protocol | | | | | |
Enumerated | M | P | | V | Y |
Management-Transport-Protection | | | | | |
Enumerated | M | P | | V | Y |
Management-Policy-Id | | | | | |
UTF8String | M | P | | V | Y |
Management-Privilege-Level | | | | | |
Integer | M | P | | V | Y |
---------------------------------|----+-----+----+-----|----|
The attributes in this specification have no special translation requirements for Diameter to RADIUS or RADIUS to Diameter gateways; they are copied as is, except for changes relating to headers, alignment, and padding. See also [RFC3588], Section 4.1, and [RFC4005], Section 9.
本规范中的属性对于直径到半径或半径到直径网关没有特殊的转换要求;它们按原样复制,但与标题、对齐和填充相关的更改除外。另见[RFC3588]第4.1节和[RFC4005]第9节。
What this specification says about the applicability of the attributes for RADIUS Access-Request packets applies in Diameter to AA-Request [RFC4005].
本规范中关于RADIUS访问请求数据包属性适用性的说明适用于AA请求[RFC4005]。
What is said about Access-Accept applies in Diameter to AA-Answer messages that indicate success.
关于Access Accept的说法在直径上适用于表示成功的AA应答消息。
The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity.
下表提供了在哪些类型的数据包中可以找到哪些属性以及数量的指南。
Access Messages
Request Accept Reject Challenge # Attribute
---------------------------------------------------------------------
0-1 0-1 0 0 133 Framed-Management-Protocol
0-1 0-1 0 0 134 Management-Transport-Protection
0 0-1 0 0 135 Management-Policy-Id
0 0-1 0 0 136 Management-Privilege-Level
Access Messages
Request Accept Reject Challenge # Attribute
---------------------------------------------------------------------
0-1 0-1 0 0 133 Framed-Management-Protocol
0-1 0-1 0 0 134 Management-Transport-Protection
0 0-1 0 0 135 Management-Policy-Id
0 0-1 0 0 136 Management-Privilege-Level
Accounting Messages
Request Response # Attribute
---------------------------------------------------------------------
0-1 0 133 Framed-Management-Protocol
0-1 0 134 Management-Transport-Protection
0-1 0 135 Management-Policy-Id
0-1 0 136 Management-Privilege-Level
Accounting Messages
Request Response # Attribute
---------------------------------------------------------------------
0-1 0 133 Framed-Management-Protocol
0-1 0 134 Management-Transport-Protection
0-1 0 135 Management-Policy-Id
0-1 0 136 Management-Privilege-Level
Change-of-Authorization Messages
Request ACK NAK # Attribute
--------------------------------------------------------------------
0 0 0 133 Framed-Management-Protocol
0 0 0 134 Management-Transport-Protection
0-1 0 0 135 Management-Policy-Id (Note 1)
0-1 0 0 136 Management-Privilege-Level (Note 1)
Change-of-Authorization Messages
Request ACK NAK # Attribute
--------------------------------------------------------------------
0 0 0 133 Framed-Management-Protocol
0 0 0 134 Management-Transport-Protection
0-1 0 0 135 Management-Policy-Id (Note 1)
0-1 0 0 136 Management-Privilege-Level (Note 1)
Disconnect Messages
Request ACK NAK # Attribute
---------------------------------------------------------------------
0 0 0 133 Framed-Management-Protocol
0 0 0 134 Management-Transport-Protection
0 0 0 135 Management-Policy-Id
0 0 0 136 Management-Privilege-Level
Disconnect Messages
Request ACK NAK # Attribute
---------------------------------------------------------------------
0 0 0 133 Framed-Management-Protocol
0 0 0 134 Management-Transport-Protection
0 0 0 135 Management-Policy-Id
0 0 0 136 Management-Privilege-Level
(Note 1) When included within a CoA-Request, these attributes represent an authorization change request. When one of these attributes is omitted from a CoA-Request, the NAS assumes that the attribute value is to remain unchanged. Attributes included in a CoA-Request replace all existing values of the same attribute(s).
(注1)当包含在CoA请求中时,这些属性表示授权变更请求。当CoA请求中省略了其中一个属性时,NAS会假定该属性值保持不变。CoA请求中包含的属性将替换同一属性的所有现有值。
The following table defines the meaning of the above table entries.
下表定义了上述表格条目的含义。
0 This attribute MUST NOT be present in a packet. 0+ Zero or more instances of this attribute MAY be present in a packet. 0-1 Zero or one instance of this attribute MAY be present in a packet. 1 Exactly one instance of this attribute MUST be present in a packet.
0此属性不能出现在数据包中。一个数据包中可能存在0+零个或多个此属性的实例。0-1数据包中可能存在该属性的零个或一个实例。1一个数据包中必须正好存在此属性的一个实例。
The following numbers have been assigned in the RADIUS Attribute Types registry.
已在“半径属性类型”注册表中指定了以下编号。
o New enumerated value for the existing Service-Type Attribute:
o 现有服务类型属性的新枚举值:
* Framed-Management (18)
* 框架管理(18)
o New RADIUS Attribute Types:
o 新的半径属性类型:
* Framed-Management-Protocol (133)
* 框架管理协议(133)
* Management-Transport-Protection (134)
* 管理运输保护(134)
* Management-Policy-Id (135)
* 管理策略Id(135)
* Management-Privilege-Level (136)
* 管理特权级别(136)
The enumerated values of the newly assigned RADIUS Attribute Types as defined in this document were assigned at the same time as the new Attribute Types.
本文档中定义的新指定半径属性类型的枚举值与新属性类型同时指定。
For the Framed-Management-Protocol Attribute:
对于框架管理协议属性:
1 SNMP 2 Web-based 3 NETCONF 4 FTP 5 TFTP 6 SFTP 7 RCP 8 SCP
1 SNMP 2基于Web的3 NETCONF 4 FTP 5 TFTP 6 SFTP 7 RCP 8 SCP
For the Management-Transport-Protection Attribute:
对于“管理传输保护”属性:
1 No-Protection 2 Integrity-Protection 3 Integrity-Confidentiality-Protection
1无保护2完整性保护3完整性保密保护
Assignments of additional enumerated values for the RADIUS attributes defined in this document are to be processed as described in [RFC3575], subject to the additional requirement of a published specification.
本文件中定义的半径属性的附加枚举值的赋值将按照[RFC3575]中的说明进行处理,但需符合已发布规范的附加要求。
This specification describes the use of RADIUS and Diameter for purposes of authentication, authorization, and accounting for management access to devices within networks. RADIUS threats and security issues for this application are described in [RFC3579] and
本规范描述了将半径和直径用于网络内设备的身份验证、授权和管理访问记帐。[RFC3579]和中描述了此应用程序的RADIUS威胁和安全问题
[RFC3580]; security issues encountered in roaming are described in [RFC2607]. For Diameter, the security issues relating to this application are described in [RFC4005] and [RFC4072].
[RFC3580];[RFC2607]中描述了漫游中遇到的安全问题。对于Diameter,与此应用程序相关的安全问题在[RFC4005]和[RFC4072]中进行了描述。
This document specifies new attributes that can be included in existing RADIUS packets, which may be protected as described in [RFC3579] and [RFC5176]. In Diameter, the attributes are protected as specified in [RFC3588]. See those documents for a more detailed description.
本文件规定了可包含在现有RADIUS数据包中的新属性,这些数据包可按照[RFC3579]和[RFC5176]中的说明进行保护。按照[RFC3588]中的规定,在直径方面,属性受到保护。有关更详细的说明,请参阅这些文档。
The security mechanisms supported in RADIUS and Diameter are focused on preventing an attacker from spoofing packets or modifying packets in transit. They do not prevent an authorized RADIUS/Diameter server or proxy from inserting attributes with malicious intent.
RADIUS和Diameter中支持的安全机制主要用于防止攻击者欺骗数据包或修改传输中的数据包。它们不能防止授权的RADIUS/Diameter服务器或代理插入恶意属性。
A legacy NAS may not recognize the attributes in this document that supplement the provisioning of CLI management access. If the value of the Service-Type Attribute is NAS-Prompt or Administrative, the legacy NAS may silently discard such attributes, while permitting the user to access the CLI management interface(s) of the NAS. This can lead to users improperly receiving authorized management access to the NAS, or access with greater levels of access rights than were intended. RADIUS servers SHOULD attempt to ascertain whether or not the NAS supports these attributes before sending them in an Access-Accept message that provisions CLI access.
旧版NAS可能无法识别本文档中补充CLI管理访问设置的属性。如果服务类型属性的值为NAS提示符或管理属性,则传统NAS可能会自动放弃此类属性,同时允许用户访问NAS的CLI管理界面。这可能导致用户不正确地接收到对NAS的授权管理访问,或访问权限级别高于预期。RADIUS服务器应先尝试确定NAS是否支持这些属性,然后再在提供CLI访问的Access Accept消息中发送这些属性。
It is possible that certain NAS implementations may not be able to determine the protection properties of the underlying transport protocol as specified by the Management-Transport-Protection Attribute. This may be a limitation of the standard application programming interface of the underlying transport implementation or of the integration of the transport into the NAS implementation. In either event, NASes conforming to this specification, which cannot determine the protection state of the remote management connection, MUST treat an Access-Accept message containing a Management-Transport-Protection Attribute containing a value other than No-Protection (1) as if it were an Access-Reject message, unless specifically overridden by local policy configuration.
某些NAS实施可能无法确定管理传输保护属性指定的基础传输协议的保护属性。这可能是基础传输实现的标准应用程序编程接口或传输集成到NAS实现的限制。在这两种情况下,符合本规范的NASE(无法确定远程管理连接的保护状态)必须将包含管理传输保护属性(包含除无保护(1)以外的值)的访问接受消息视为访问拒绝消息,除非本地策略配置特别覆盖。
Use of the No-Protection (1) option for the Management-Transport-Protection (134) Attribute is NOT RECOMMENDED in any deployment where secure management or configuration is required.
在需要安全管理或配置的任何部署中,不建议对管理传输保护(134)属性使用无保护(1)选项。
The device management access authorization attributes presented in this document present certain considerations when used in RADIUS proxy environments. These considerations are not different from those that exist in RFC 2865 [RFC2865] with respect to the Service-Type Attribute values of Administrative and NAS-Prompt.
当在RADIUS代理环境中使用时,本文档中提供的设备管理访问授权属性提供了某些注意事项。就管理和NAS提示符的服务类型属性值而言,这些注意事项与RFC 2865[RFC2865]中存在的注意事项没有什么不同。
Most RADIUS proxy environments are also multi-party environments. In multi-party proxy environments it is important to distinguish which entities have the authority to provision management access to the edge devices, i.e., NASes, and which entities only have authority to provision network access services of various sorts.
大多数RADIUS代理环境也是多方环境。在多方代理环境中,重要的是要区分哪些实体有权提供对边缘设备(即NASE)的管理访问,哪些实体只有权提供各种网络访问服务。
It may be important that operators of the NAS are able to ensure that access to the CLI, or other management interfaces of the NAS, is only provisioned to their own employees or contractors. One way for the NAS to enforce this requirement is to use only local, non-proxy RADIUS servers for management access requests. Proxy RADIUS servers could be used for non-management access requests, based on local policy. This "bifurcation" of RADIUS authentication and authorization is a simple case of separate administrative realms. The NAS may be designed so as to maintain separate lists of RADIUS servers for management AAA use and for non-management AAA use.
NAS的运营商能够确保仅向其自己的员工或承包商提供对CLI或NAS的其他管理界面的访问,这一点可能很重要。NAS实施此要求的一种方法是仅使用本地、非代理RADIUS服务器进行管理访问请求。基于本地策略,代理RADIUS服务器可用于非管理访问请求。RADIUS认证和授权的这种“分歧”是单独管理领域的一个简单例子。NAS的设计可以使RADIUS服务器保持单独的列表,以供管理AAA使用和非管理AAA使用。
An alternate method of enforcing this requirement would be for the first-hop RADIUS proxy server, operated by the owner of the NAS, to filter out any RADIUS attributes that provision management access rights that originate from "up-stream" proxy servers not operated by the NAS owner. Access-Accept messages that provision such locally unauthorized management access MAY be treated as if they were an Access-Reject by the first-hop proxy server.
强制执行此要求的另一种方法是由NAS所有者操作的第一跳RADIUS代理服务器过滤掉任何RADIUS属性,这些属性提供源于非NAS所有者操作的“上游”代理服务器的管理访问权限。提供此类本地未授权管理访问的Access Accept消息可能被视为第一跳代理服务器拒绝访问。
An additional exposure present in proxy deployments is that sensitive user credentials, e.g., passwords, are likely to be available in cleartext form at each of the proxy servers. Encrypted or hashed credentials are not subject to this risk, but password authentication is a very commonly used mechanism for management access authentication, and in RADIUS passwords are only protected on a hop-by-hop basis. Malicious proxy servers could misuse this sensitive information.
代理部署中存在的另一个风险是,敏感用户凭据(例如密码)可能以明文形式在每个代理服务器上可用。加密或散列凭据不受此风险的影响,但密码身份验证是管理访问身份验证的一种非常常用的机制,并且在RADIUS中,密码仅在逐跳的基础上受到保护。恶意代理服务器可能会滥用此敏感信息。
These issues are not of concern when all the RADIUS servers, local and proxy, used by the NAS are under the sole administrative control of the NAS owner.
当NAS使用的所有RADIUS服务器(本地服务器和代理服务器)都由NAS所有者单独管理控制时,这些问题就不值得关注了。
Many thanks to all reviewers, including Bernard Aboba, Alan DeKok, David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Hannes Tschofenig, Barney Wolff, and Glen Zorn.
感谢所有评论者,包括伯纳德·阿博巴、艾伦·德科克、大卫·哈林顿、毛里西奥·桑切斯、尤尔根·舍恩瓦埃尔德、汉内斯·茨霍芬尼、巴尼·沃尔夫和格伦·佐恩。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[HTML] Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01 Specification, W3C", December 1999.
[HTML]Raggett,D.,Le Hors,A.,和I.Jacobs,“HTML4.01规范,W3C”,1999年12月。
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, October 1985.
[RFC0959]Postel,J.和J.Reynolds,“文件传输协议”,标准9,RFC 959,1985年10月。
[RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD 33, RFC 1350, July 1992.
[RFC1350]Sollins,K.,“TFTP协议(修订版2)”,STD 33,RFC 1350,1992年7月。
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.
[RFC2607]Aboba,B.和J.Vollbrecht,“漫游中的代理链接和策略实施”,RFC 2607,1999年6月。
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2616]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.,和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC 2616,1999年6月。
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC2866]Rigney,C.,“半径会计”,RFC 28662000年6月。
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.
[RFC3411]Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3412, December 2002.
[RFC3412]Case,J.,Harrington,D.,Presohn,R.,和B.Wijnen,“简单网络管理协议(SNMP)的消息处理和调度”,STD 62,RFC 3412,2002年12月。
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network Management Protocol (SNMP) Applications", STD 62, RFC 3413, December 2002.
[RFC3413]Levi,D.,Meyer,P.,和B.Stewart,“简单网络管理协议(SNMP)应用”,STD 62,RFC 3413,2002年12月。
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3414]Blumenthal,U.和B.Wijnen,“简单网络管理协议(SNMPv3)版本3的基于用户的安全模型(USM)”,STD 62,RFC 3414,2002年12月。
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002.
[RFC3415]Wijnen,B.,Presuhn,R.,和K.McCloghrie,“用于简单网络管理协议(SNMP)的基于视图的访问控制模型(VACM)”,STD 62,RFC 3415,2002年12月。
[RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3416, December 2002.
[RFC3416]Presohn,R.,“简单网络管理协议(SNMP)协议操作的第2版”,STD 62,RFC 3416,2002年12月。
[RFC3417] Presuhn, R., "Transport Mappings for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3417, December 2002.
[RFC3417]Presohn,R.,“简单网络管理协议(SNMP)的传输映射”,STD 62,RFC 34172002年12月。
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3418, December 2002.
[RFC3418]Presohn,R.,“简单网络管理协议(SNMP)的管理信息库(MIB)”,STD 62,RFC 3418,2002年12月。
[RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote Authentication Dial In User Service)", RFC 3575, July 2003.
[RFC3575]Aboba,B.“RADIUS(远程认证拨入用户服务)的IANA注意事项”,RFC 3575,2003年7月。
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3579]Aboba,B.和P.Calhoun,“RADIUS(远程认证拨入用户服务)对可扩展认证协议(EAP)的支持”,RFC 3579,2003年9月。
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RFC3580]Congdon,P.,Aboba,B.,Smith,A.,Zorn,G.,和J.Roese,“IEEE 802.1X远程认证拨入用户服务(RADIUS)使用指南”,RFC 35802003年9月。
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC3588]Calhoun,P.,Loughney,J.,Guttman,E.,Zorn,G.,和J.Arkko,“直径基础协议”,RFC 3588,2003年9月。
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, August 2005.
[RFC4005]Calhoun,P.,Zorn,G.,Spence,D.,和D.Mitton,“Diameter网络访问服务器应用”,RFC 4005,2005年8月。
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005.
[RFC4072]Eronen,P.,Hiller,T.,和G.Zorn,“直径可扩展认证协议(EAP)应用”,RFC 4072,2005年8月。
[RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741, December 2006.
[RFC4741]Enns,R.,“网络配置协议”,RFC 47412006年12月。
[RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF Configuration Protocol over Secure SHell (SSH)", RFC 4742, December 2006.
[RFC4742]Wasserman,M.和T.Goddard,“在安全外壳(SSH)上使用NETCONF配置协议”,RFC 4742,2006年12月。
[RFC4743] Goddard, T., "Using NETCONF over the Simple Object Access Protocol (SOAP)", RFC 4743, December 2006.
[RFC4743]Goddard,T.,“通过简单对象访问协议(SOAP)使用NETCONF”,RFC 4743,2006年12月。
[RFC4744] Lear, E. and K. Crozier, "Using the NETCONF Protocol over the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744, December 2006.
[RFC4744]Lear,E.和K.Crozier,“在块可扩展交换协议(BEEP)上使用NETCONF协议”,RFC 47442006年12月。
[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 5176, January 2008.
[RFC5176]Chiba,M.,Dommety,G.,Eklund,M.,Mitton,D.,和B.Aboba,“远程认证拨号用户服务(RADIUS)的动态授权扩展”,RFC 51762008年1月。
[SFTP] Galbraith, J. and O. Saarenmaa, "SSH File Transfer Protocol", Work in Progress, July 2006.
[SFTP]Galbraith,J.和O.Saarenmaa,“SSH文件传输协议”,正在进行的工作,2006年7月。
[SSH] Barrett, D., Silverman, R., and R. Byrnes, "SSH, the Secure Shell: The Definitive Guide, Second Edition, O'Reilly and Associates", May 2005.
[SSH]Barrett,D.,Silverman,R.,和R.Byrnes,“SSH,安全外壳:权威指南,第二版,O'Reilly and Associates”,2005年5月。
Authors' Addresses
作者地址
David B. Nelson Elbrys Networks, Inc. 282 Corporate Drive Portsmouth, NH 03801 USA
David B.Nelson Elbrys Networks,Inc.美国新罕布什尔州朴茨茅斯公司大道282号,邮编:03801
EMail: dnelson@elbrysnetworks.com
EMail: dnelson@elbrysnetworks.com
Greg Weber Individual Contributor Knoxville, TN 37932 USA
格雷格·韦伯个人投稿人美国田纳西州诺克斯维尔37932
EMail: gdweber@gmail.com
EMail: gdweber@gmail.com