RADIUS Filter Rules
A new IETF draft was recently published describing an extension to RADIUS which supports a standard way to define access control lists at the rule level. Previous standard incarnations used the “filter-id” attribute which could only point to a pre-configured filter on the device. Though some VSAs can provide this functionality today a ubiquitous standard attribute is vastly preferable. This would provide a much better vehicle for describing authorization rules in a central location instead of managing them individually on each enforcement device.
December 20th, 2006 at 1:04 pm
[…] Back in June I wrote about a new draft in the IETF RADEXT working group concerning access control lists (ACLs). The draft specified a way to generically format and transmit IP ACLs using RADIUS. The draft is now in its sixth revision and left the working group headed towards a proposed standard in the IETF. If approved, we will finally have a common technique for passing ACLs to a network enforcement device from a AAA server. The approach taken in this draft is to reuse the filter format defined within Diameter (scroll down to page 44 to see the format). To date, enforcement vendors have either relied on proprietary techniques for formatting these ACLs or have simply not supported them. It is very common today to see no support for the specific ACL but a more general support for the RADIUS Filter-Id attribute (attribute 11, page 35). The Filter-Id attribute is nice but it only allows the AAA server to point to a pre-existing filter on the enforcement device, not to create one on the AAA server. […]