From owner-ietf-radius@livingston.com Fri Jul 2 15:08:07 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA22691 for ; Fri, 2 Jul 1999 15:08:05 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id MAA17340; Fri, 2 Jul 1999 12:00:05 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id JAA28759 for ietf-radius-outgoing; Fri, 2 Jul 1999 09:58:07 -0700 (PDT) Message-Id: <199907021219.IAA07221@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: ietf-radius@livingston.com From: Internet-Drafts@ietf.org Subject: (radius) I-D ACTION:draft-ietf-radius-tunnel-auth-07.txt Date: Fri, 02 Jul 1999 08:19:11 -0400 Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: Internet-Drafts@ietf.org --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Remote Authentication Dial-In User Service Working Group of the IETF. Title : RADIUS Attributes for Tunnel Protocol Support Author(s) : G. Zorn, D. Leifer, A. Rubens, M. Holdrege, J. Shriver Filename : draft-ietf-radius-tunnel-auth-07.txt Pages : 19 Date : 01-Jul-99 This document defines a set of RADIUS attributes designed to support the provision of compulsory tunneling in dial-up networks. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-07.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-radius-tunnel-auth-07.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-radius-tunnel-auth-07.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <19990701144527.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-radius-tunnel-auth-07.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-radius-tunnel-auth-07.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <19990701144527.I-D@ietf.org> --OtherAccess-- --NextPart-- - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message. From owner-ietf-radius@livingston.com Thu Jul 8 19:23:33 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA19933 for ; Thu, 8 Jul 1999 19:23:32 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id QAA03808; Thu, 8 Jul 1999 16:15:36 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id QAA18398 for ietf-radius-outgoing; Thu, 8 Jul 1999 16:15:34 -0700 (PDT) Message-ID: From: Indranil Bagchi To: ietf-radius@livingston.com Subject: (radius) Command execution Date: Thu, 8 Jul 1999 16:14:41 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: Indranil Bagchi I am required to enhance the login shell on a switch enabling users to execute certain predefined commands. For example if the shell supports 10 commands, I would like to create user profiles and allow a specific user to execute a particular set of commands. E.g.. User A can execute commands 1,5 and 9. User B can execute commands 3 and 6 etc. We plan to use a radius server to define such associations and allow/deny a particular user for executing a particular command. For example, if User B wants to execute any command other than 3 and 6, the radius server should deny it. Are there implementations which support this kind of a feature and how can one achieve it in the radius framework. Thanks - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message. From owner-ietf-radius@livingston.com Fri Jul 9 02:33:28 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA08417 for ; Fri, 9 Jul 1999 02:33:27 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id XAA03130; Thu, 8 Jul 1999 23:25:20 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id XAA06776 for ietf-radius-outgoing; Thu, 8 Jul 1999 23:30:51 -0700 (PDT) Posted-Date: Fri, 9 Jul 1999 08:24:26 +0200 (MET DST) Message-ID: <37859654.81B03E1@tid.es> Date: Fri, 09 Jul 1999 08:27:32 +0200 From: Jose Ignacio =?iso-8859-1?Q?Caba=F1as?= X-Mailer: Mozilla 4.61 [en] (WinNT; I) X-Accept-Language: es,en MIME-Version: 1.0 To: "ietf-radius@livingston.com" Subject: (radius) RADIUS RFC doubt Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: Jose Ignacio =?iso-8859-1?Q?Caba=F1as?= Content-Transfer-Encoding: 7bit Hello: I am testing a radius software am I have found a possible mistake which maybe makes this software uncompliant with RADIUS RFC: I have tested the server using distinct shared secret on the client and I have made a authentication request...According with the RFC, what should the server do?: - Discard the request silently? - Send a reject response to the client? I would be grateful if somebody could explain me what is the right behavior Maybe both of these behaviors are RFC compliant? Thanks in advance, Jose Ignacio - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message. From owner-ietf-radius@livingston.com Fri Jul 9 08:54:04 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA10948 for ; Fri, 9 Jul 1999 08:54:02 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id FAA07663; Fri, 9 Jul 1999 05:46:20 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id FAA17537 for ietf-radius-outgoing; Fri, 9 Jul 1999 05:51:35 -0700 (PDT) Date: Fri, 9 Jul 1999 05:50:39 -0700 (PDT) From: "pcalhoun@eng.sun.com" Subject: Re: (radius) Command execution To: Indranil Bagchi Cc: ietf-radius@livingston.com In-Reply-To: "Your message with ID" Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: "pcalhoun@eng.sun.com" > > I am required to enhance the login shell on a switch enabling users to > execute certain predefined commands. For example if the shell supports > 10 commands, I would like to create user profiles and allow a specific > user to execute a particular set of commands. > > E.g.. User A can execute commands 1,5 and 9. > User B can execute commands 3 and 6 etc. > > We plan to use a radius server to define such associations and allow/deny > a particular user for executing a particular command. For example, if > User B wants to execute any command other than 3 and 6, the radius > server should deny it. > > Are there implementations which support this kind of a feature and how > can one achieve it in the radius framework. > The answer is no, RADIUS cannot really do that. However, one way around this problem would be to make use of the Filters. This would require that you pre-configure a set of filters, where filter A would allow commands 1, 5 and 9, etc. Then user A would have, as part of his/her profile, filter A. This is probably not ideal, so if you want a better way, simply start creating vendors specific Attributes. Hell, there are more of them out there than the ones defined in the RFCs :) PatC - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message. From owner-ietf-radius@livingston.com Fri Jul 9 17:44:29 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA18612 for ; Fri, 9 Jul 1999 17:44:27 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id OAA23918; Fri, 9 Jul 1999 14:36:33 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id OAA03358 for ietf-radius-outgoing; Fri, 9 Jul 1999 14:41:11 -0700 (PDT) Message-ID: <9A74C89D6696D2118E500008C7BA7C56BF6A51@wcomexch1.wcom.net> From: "Beadles, Mark A." To: "'ietf-radius@livingston.com'" Subject: (radius) New attributes in tunnel draft Date: Fri, 9 Jul 1999 17:41:53 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: "Beadles, Mark A." I really like the two new attributes: -tunnel-client-auth-id and -tunnel-client-server-id. In fact, I like them so much, I want to use them. Can we get some numbers assigned so that this is possible between multiple vendors? + Mark Anthony Beadles + UUNET Product Development + + mbeadles@wcom.net + http://networking.us.uu.net + + Voice 614.723.1941 + Fax 614.723.8407 + - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message. From owner-ietf-radius@livingston.com Mon Jul 12 03:38:33 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA23943 for ; Mon, 12 Jul 1999 03:38:31 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id AAA24745; Mon, 12 Jul 1999 00:30:33 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id AAA03538 for ietf-radius-outgoing; Mon, 12 Jul 1999 00:33:52 -0700 (PDT) Message-Id: <4.2.0.58.19990712032925.00bc5370@132.245.32.8> X-Sender: mitton@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 12 Jul 1999 03:34:38 -0400 To: Indranil Bagchi , ietf-radius@livingston.com From: Dave Mitton Subject: Re: (radius) Command execution In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: Dave Mitton The Xylogics/////Bay////Nortel Annex///Versalar RAC, implments this functionality using several VSAs. In particular, we have an attribute, Annex-CLI-Filter, which is simply a string containing a list of all dis-allowed commands for that user. We also implement an attribute, Annex-CLI-Command, which is simply an single command. The Access-Accept can contain multiple commands and they will be executed in order, before giving the user any control (if at all). Dave. At 04:14 PM 7/8/99 -0700, Indranil Bagchi wrote: >I am required to enhance the login shell on a switch enabling users to >execute certain predefined commands. For example if the shell supports >10 commands, I would like to create user profiles and allow a specific >user to execute a particular set of commands. > >E.g.. User A can execute commands 1,5 and 9. > User B can execute commands 3 and 6 etc. > >We plan to use a radius server to define such associations and allow/deny >a particular user for executing a particular command. For example, if >User B wants to execute any command other than 3 and 6, the radius >server should deny it. > >Are there implementations which support this kind of a feature and how >can one achieve it in the radius framework. > >Thanks > >- >To unsubscribe, email 'majordomo@livingston.com' with >'unsubscribe ietf-radius' in the body of the message. --------------------------------------------------------------- David Mitton ESN: 248-4570 Consulting Engineer, Nortel Networks 978-288-4570 Direct Carrier Packet Solutions, IP Services 978-288-3030 FAX Billerica, MA 01821 dmitton@nortelnetworks.com - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message. From owner-ietf-radius@livingston.com Mon Jul 19 11:36:28 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA12929 for ; Mon, 19 Jul 1999 11:36:27 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.8.5/8.6.9) with ESMTP id IAA20741; Mon, 19 Jul 1999 08:28:26 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id IAA15923 for ietf-radius-outgoing; Mon, 19 Jul 1999 08:29:45 -0700 (PDT) Message-ID: <007401bed1fb$42954d70$0103a8c0@ds9> From: "Darran Potter" To: Subject: Re: (radius) Tags in L2TP draft Date: Mon, 19 Jul 1999 16:27:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: "Darran Potter" Content-Transfer-Encoding: 7bit I dont this this made it to the list last time. ----- Original Message ----- From: Darran Potter To: Sent: 16 July 1999 14:55 Subject: Re: (radius) Tags in L2TP draft > Does the new tunnel-07 draft address any of the problems noted to date? > > Also, apols if this is stupid... but how come RFCs dont include a change history section? > > When a new draft comes out, eg tunnel-07 you have to read the entire doc hunting for > changes... and risk missing some. > > Darran > > > ----- Original Message ----- > From: Carl Rigney > To: > Sent: 11 June 1999 05:52 > Subject: (radius) Tags in L2TP draft > > > > I'd like to see the L2TP draft specify Tags fully and completely enough > > to guarantee interoperability. Anything less is inadequate. If people > > could hammer out some language quickly and thoroughly it would be very > > nice to get those drafts moving along. > > > > I've seen lots of postings from Mark (& the forwardings from John) but > > so far not much in the other direction. Are discussions happening by > > private email, or languishing? > > > > -- > > Carl Rigney > > IETF RADIUS WG Chair > > cdr@livingston.com > > - > > To unsubscribe, email 'majordomo@livingston.com' with > > 'unsubscribe ietf-radius' in the body of the message. > - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message. From owner-ietf-radius@livingston.com Thu Jul 29 12:36:36 1999 Received: from bast.livingston.com (bast.livingston.com [149.198.247.2]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA25337 for ; Thu, 29 Jul 1999 12:36:35 -0400 (EDT) Received: from server.livingston.com (server.livingston.com [149.198.1.70]) by bast.livingston.com (8.9.3/8.9.3) with ESMTP id JAA22317; Thu, 29 Jul 1999 09:35:16 -0700 (PDT) Received: (from majordom@localhost) by server.livingston.com (8.8.5/8.6.9) id JAA25748 for ietf-radius-outgoing; Thu, 29 Jul 1999 09:29:42 -0700 (PDT) Message-ID: <4FD6422BE942D111908D00805F3158DF1842408D@RED-MSG-52> From: Glen Zorn To: Zhidan_Cheng@3com.com, ietf-radius@livingston.com Subject: (radius) RE: Two interpretations to the NT-Key of MS-CHAP-MPPE-Keys Date: Wed, 28 Jul 1999 19:34:35 -0700 X-Mailer: Internet Mail Service (5.5.2524.0) Sender: owner-ietf-radius@livingston.com Precedence: bulk Reply-To: Glen Zorn The MPPE draft is correct. In RFC 2548 I was _thinking_ "the hashed Windows NT password _as stored on the Windows NT domain controller_" (which is a hash), but wrote "the hashed Windows NT password". Sorry for the confusion. -----Original Message----- From: Zhidan_Cheng@3com.com [mailto:Zhidan_Cheng@3com.com] Sent: Wednesday, July 21, 1999 9:51 AM To: Glen Zorn; ietf-radius@livingston.com Subject: Two interpretations to the NT-Key of MS-CHAP-MPPE-Keys Glen, There are two interpretations to the NT-Key of MS-CHAP-MPPE-Keys. One takes the sixteen octets of the output of the function NtPasswordHash as NT-Key. Another one takes the sixteen octets of the output of the function PasswordHashHash as NT-Key. Would you please clarify this? Thanks. Microsoft Vendor-specific RADIUS Attributes (RFC 2548) states: Vendor-Type 12 for MS-CHAP-MPPE-Keys. Vendor-Length 34 Keys The Keys field consists of two logical sub-fields: the LM-Key and the NT-Key. The LM-Key is eight octets in length and contains the first eight bytes of the output of the function LmPasswordHash(P, This hash is constructed as follows: let the plain-text password be represented by P. The NT-Key sub-field is sixteen octets in length and contains the first sixteen octets of the hashed Windows NT password. And internet draft MPPE Key Derivation (Feb. 1999) states: 4.4.2. Sample 128-bit Key Derivation Initial Values Password = "clientPass" Challenge = 10 2d b5 df 08 5d 30 41 Step 1: NtPasswordHash(Password, PasswordHash) PasswordHash = 44 eb ba 8d 53 12 b8 d6 11 47 44 11 f5 69 89 ae Step 2: PasswordHashHash = MD4(PasswordHash) PasswordHashHash = 41 c0 0c 58 4b d2 d9 1c 40 17 a2 a1 2f a5 9f 3f Step 2: GetStartKey(Challenge, PasswordHashHash, InitialSessionKey) InitialSessionKey = a8 94 78 50 cf c0 ac ca d1 78 9f b6 2d dc dd b0 Step 3: Copy InitialSessionKey to CurrentSessionKey CurrentSessionKey = a8 94 78 50 cf c0 ac ca d1 78 9f b6 2d dc dd b0 Step 4: GetKey(InitialSessionKey, CurrentSessionKey, 16) CurrentSessionKey = 59 d1 59 bc 09 f7 6f 1d a2 a8 6a 28 ff ec 0b 1e Zhidan Cheng - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe ietf-radius' in the body of the message.