On Feb 12, 2016, at 9:07 AM, Mikael Abrahamsson <[email protected]> wrote: > > On Fri, 12 Feb 2016, Alan DeKok wrote: > >> So it *is* a AAA protocol? > > I actually do not know what criteria you put in the AAA term. It might be > different from what I use it for.
This is getting silly. The document describes itself as an AAA protocol. I'm willing to accept that. But most times I mention it's an AAA protocol, the response is "NO! the rules for AAA protocols don't apply! It's a device management protocol!" I find such circular arguments unconvincing, and downright anti-social. > For me TACACS does the following things: > > It checks username/password when I login, and the TAC+ server says if I can > login or not with those credentials. > It sends CLI commands I run on the router to the TAC+ server, and the TAC+ > server grants or doesn't grant me to run those individual commands, on a > per-command basis. It also records what commands I ran. > > That's what I thought the "Authentication, Authorization, Accounting" meant. By that standard, SQL and LDAP are AAA protocols. They authenticate administrators, authorize them to do some tasks and not others, and perform accounting / logging on the commands run by those administrator.s > As far as I have understood, Radius/Diameter doesn't do the last function(s) > I described. Why is that? Because your understanding is wrong? RADIUS does that. Not for every vendor, but it's explicitly designed to do that. The *common* use-case for network management is that command authorization is done via TACACS+. And why is that? Because of a anti-competitive behaviour by a major networking vendor. Who saw it being as beneficial to *not* standardize command authorization. Despite (was Stefan pointed out) their own documentation which says it works in RADIUS, but which the switches completely ignore! Now that they're getting bitten by interoperability issues, they want a rubber-stamp on the protocol as standards track. I've explained this repeatedly. I suggest reading my messages to see what my argument is. That would help you to avoid asking questions which have already been answered repeatedly. Speaking of repeated questions... I've asked this question repeatedly: Why is it necessary to have a standards track document? What's wrong with informational? I've respected you by answering your questions and explaining my position. Please consider doing the same for me. Alan DeKok. _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
