Return-Path: X-Sieve: cmu-sieve 2.0 Return-Path: Received: from osgood.ece.cmu.edu (OSGOOD.ECE.CMU.EDU [128.2.129.25]) by ece.cmu.edu (8.11.0/8.10.2) with ESMTP id h5QBQJ425860 for ; Thu, 26 Jun 2003 07:26:19 -0400 (EDT) Received: by osgood.ece.cmu.edu (Postfix, from userid 953) id A2FA587; Thu, 26 Jun 2003 07:26:18 -0400 (EDT) Received: from sos.ece.cmu.edu (SOS.ECE.CMU.EDU [128.2.129.27]) by osgood.ece.cmu.edu (Postfix) with ESMTP id DFBCF7E; Thu, 26 Jun 2003 07:26:14 -0400 (EDT) Received: by sos.ece.cmu.edu (Postfix) id 751CE89E0; Thu, 26 Jun 2003 07:25:58 -0400 (EDT) Received: from osgood.ece.cmu.edu (OSGOOD.ECE.CMU.EDU [128.2.129.25]) by sos.ece.cmu.edu (Postfix) with ESMTP id 656E489DF for ; Thu, 26 Jun 2003 07:25:58 -0400 (EDT) Received: by osgood.ece.cmu.edu (Postfix) id 478DA82; Thu, 26 Jun 2003 07:25:58 -0400 (EDT) Received: by osgood.ece.cmu.edu (Postfix, from userid 953) id 233CB87; Thu, 26 Jun 2003 07:25:58 -0400 (EDT) Received: from sos.ece.cmu.edu (SOS.ECE.CMU.EDU [128.2.129.27]) by osgood.ece.cmu.edu (Postfix) with ESMTP id 0A9EA82 for ; Thu, 26 Jun 2003 07:25:54 -0400 (EDT) Received: by sos.ece.cmu.edu (Postfix, from userid 363) id CCC8D89E1; Thu, 26 Jun 2003 07:25:53 -0400 (EDT) X-Original-To: ips@sos.ece.cmu.edu Received: from osgood.ece.cmu.edu (OSGOOD.ECE.CMU.EDU [128.2.129.25]) by sos.ece.cmu.edu (Postfix) with ESMTP id EFCF589DF for ; Thu, 26 Jun 2003 07:25:51 -0400 (EDT) Received: by osgood.ece.cmu.edu (Postfix) id 67B926F; Thu, 26 Jun 2003 07:25:51 -0400 (EDT) Delivered-To: ips@ece.cmu.edu Received: by osgood.ece.cmu.edu (Postfix, from userid 953) id 4138682; Thu, 26 Jun 2003 07:25:51 -0400 (EDT) Received: from hotmail.com (bay7-f112.bay7.hotmail.com [64.4.11.112]) by osgood.ece.cmu.edu (Postfix) with ESMTP id 7EFA86F for ; Thu, 26 Jun 2003 07:25:49 -0400 (EDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 26 Jun 2003 04:25:48 -0700 Received: from 65.82.133.156 by by7fd.bay7.hotmail.msn.com with HTTP; Thu, 26 Jun 2003 11:25:48 GMT X-Originating-IP: [65.82.133.156] X-Originating-Email: [bernard_aboba@hotmail.com] From: "Bernard Aboba" To: Black_David@emc.com Cc: ips@ece.cmu.edu Subject: RE: iSCSI User Auth MIB - security issue Date: Thu, 26 Jun 2003 04:25:48 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 Jun 2003 11:25:48.0738 (UTC) FILETIME=[B16E6220:01C33BD5] Sender: owner-ips@ece.cmu.edu Precedence: bulk X-Spam-Status: No, hits=-6.6 required=5.0 tests=BAYES_01 version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) >So, in the RADIUS case, the MIB as-is functions only to do >authorization (i.e., which identities using what authentication >methods have access to which targets) in combination with the main >iSCSI MIB. The RADIUS access decision involves not only checking the credentials, but also validating the authorizations as well. So it seems that the authorizations also potentially reside on the RADIUS server. I think this means that there needs to be a statement about which authorizations take precedence. In some cases there can be a mix of local and remote authentication -- a target can have local users and authentication methods and if the identity or authentication method is not one of those, then the authentication is remoted. I think this implies that RADIUS will take precedence for authorization of a remote user, but that local authorizations are used for local users. _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail