Back in June I wrote about a new draft in the IETF RADEXT working group concerning access control lists (ACLs). The draft specified a way to generically format and transmit IP ACLs using RADIUS. The draft is now in its sixth revision and left the working group headed towards a proposed standard in the IETF. If approved, we will finally have a common technique for passing ACLs to a network enforcement device from a AAA server. The approach taken in this draft is to reuse the filter format defined within Diameter (scroll down to page 44 to see the format). To date, enforcement vendors have either relied on proprietary techniques for formatting these ACLs or have simply not supported them. It is very common today to see no support for the specific ACL but a more general support for the RADIUS Filter-Id attribute (attribute 11, page 35). The Filter-Id attribute is nice but it only allows the AAA server to point to a pre-existing filter on the enforcement device, not to create one on the AAA server.
The key, if approved, will be getting the enforcement vendors to support the new standard. Since HP authored the draft It seems quite likely that HP will support the capability. If Cisco and Juniper follow suit it would be great news for customers struggling with network level authorizations throughout a heterogeneous network. My guess is customer pressure will be instrumental in getting the big guys on board. Pairing this functionality with network-wide authentication and some basic NAC checks and you’ve suddenly got a heterogeneous solution which hangs together quite nicely. Heck, toss in RFC 3576 support and you’ll really be onto something.