Internet DRAFT - draft-vishwakarma-opsawg-ssh-cert-radius
draft-vishwakarma-opsawg-ssh-cert-radius
OPSAWG WG Devendra Vishwakarma
Internet-Draft Cisco Systems
Intended status: Informational Prakash Suthar
Expires: 1 July 2022 Google Inc.
Vivek Agarwal
Anil Jangam, Ed.
Cisco Systems
28 December 2021
RADIUS Extension for Certificate-based SSH Authentication
draft-vishwakarma-opsawg-ssh-cert-radius-02
Abstract
A scalable and centralized mechanism is required for a certificate-
based administrative access to multitude of virtualized and physical
network functions. While there are mechanisms that exist today to
provide secure administrative command-line and API-based access,
there are certain management and maintenance overheads as well as
certain scalability challenges related to it. In this draft we
discuss these challenges and propose a standardized, centralized
server-based mechanism to authenticate a user over an SSH session
using its client certificate.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 July 2022.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 1]
Internet-Draft SSL Cert Radius December 2021
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Conventions and Terminology . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Centralized RADUIS Server based Solution . . . . . . . . 4
3. Operational Details . . . . . . . . . . . . . . . . . . . . . 5
3.1. Basic Setup . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. EAP TLS authentication . . . . . . . . . . . . . . . . . 7
3.3. RADIUS Access Request . . . . . . . . . . . . . . . . . . 7
3.4. Radius Accounting Request . . . . . . . . . . . . . . . . 9
3.5. Radius Access Accept . . . . . . . . . . . . . . . . . . 11
4. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 11
4.1. Packet Format . . . . . . . . . . . . . . . . . . . . . . 11
4.2. Packet Types . . . . . . . . . . . . . . . . . . . . . . 12
4.2.1. Access Request . . . . . . . . . . . . . . . . . . . 12
4.3. Attributes . . . . . . . . . . . . . . . . . . . . . . . 12
4.3.1. Service Type . . . . . . . . . . . . . . . . . . . . 12
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 14
7. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
9.1. Normative References . . . . . . . . . . . . . . . . . . 14
9.2. Informative References . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
This document uses the terminology of [RFC3987] and [RFC3986] for
RADIUS entities.
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 2]
Internet-Draft SSL Cert Radius December 2021
2. Introduction
With the pervasive use of virtualized infrastructure (e.g.,
microservices-based application designs), a high magnitude of
individual and autonomous software application components are working
together to realize a complete system functionality. With a large
number of highly interacting agents, an authentication and
authorization mechanism which is scalable and flexible is very
critical for administrative access. A typical service authentication
and authorization (AAA) infrastructure comprise of an identity
management, verification and, validations functions.
In a typical day of an IT (Information Technology) enabled
organization, IT engineers often connect to many different servers
while carrying their tasks such as, change of configurations, write a
software code, save a file, fetch an image, etc. There are mainly
three different ways engineers can authenticate to the servers they
are connecting to.
* Password based
* RSA key based
* OpenSSH certificate based local authentication
While these methods are currently being used, they suffer from the
following limitations respectively.
* Password based: In this method, user needs to enter the username
and password each time it tries to login to a server. With the
increasing frequency and number of servers, the manual
configuration becomes untenable. While script-based automation is
an option, it is highly insecure as passwords are stored in
cleartext. Also, a frequent password changes and adherence to
complex password policies are required to prevent against any
misuse. A 2-factor authentication mechanism provides some
protection but it still involves a certain level of human
interaction, which is difficult to automate.
* The RSA key-based authentication requires a frequent copy of files
to each device, server, cloud-native network function (CNF), and
virtual network functions (VNFs) and hence is not scalable. In
addition, if a key gets compromised, the revocation of it from all
servers and VNFs involves a lot of effort.
* OpenSSH certificate based local authentication requires root
certification authority (CA) certificate to be copied to each
individual device, server, and the VNF. If the developers are
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 3]
Internet-Draft SSL Cert Radius December 2021
using client certificate from multiple certification authorities,
all of the certification authority (CA) root certificate and
intermediate certificate has to be installed on each of the
servers that's being accessed. Also, a connectivity to the
certificate revocation list (CRL) is required from all the
devices, servers, and VNFs to check for revoked certificates. In
a typical customer environment all the device, servers, and VNFs
do not have access to a public CRL location. Also, any changes in
the certificates (e.g. expiry or revocation) requires a manual or
a script based cleanup of certificates from all the servers.
In order to address these limitations and move towards a password-
less mechanism, we propose an approach that uses certificate based
SSH authentication using RADIUS protocol. The centralized server-
based system also helps solve all the above outlined limitations.
2.1. Centralized RADUIS Server based Solution
As shown in Figure 1, a method is devised to authenticate SSH
sessions using client certificates, where the device, server, VNF,
and CNF uses RADIUS protocol to validate the authenticity of the
certificate from a centralized RADIUS server. The RADIUS server will
get the username from the CN (common name) field in the client
certificate.
The benefits of using certificates for SSH session authentication are
as follows:
* It does not require a frequent client certificate replacement
(e.g., a certificate is typically valid for a year), which solves
the problem seen in the password-based authentications.
* It does not require client public keys to be copied to each
device, server, VNF, or CNF that needs to be accessed.
* It doesn't need any secondary out-of-band authentication like OTP
or a complex MFA (Multi-factor Authentication) solution.
* All the root certificates and intermediate certificates needs to
be installed on the RADIUS server only. This makes it easy for
many administrative tasks including initial setup, adding a new
CA, retiring of an old CA, certificate revocation check, and the
centralized access to the internet to download the revocation
list.
* Both the certificate validation and revocation check happen at a
centralized AAA server.
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 4]
Internet-Draft SSL Cert Radius December 2021
+----+ +----+
|VNF1| |VNF2|
+--+-+ +--+-+
+-----------+ ;-----; | | +---------------+
| | / \ +--+--------+-+ | Radius Server |
| Endpoint |--->( Network )--->| NFVI |--->| (AAA Server) |
| | \ / +-------------+ +-------+-------+
+-----------+ `-----' |
|
+--------------------+ |
| Service Provider |<------------+
| Cert Authority (CA)|
+--------------------+
Figure 1: Centralized RADIUS-based AAA System
3. Operational Details
Operation is identical to that defined in [RFC2865], [RFC5216], and
[RFC4252].
3.1. Basic Setup
Analogous to 802.1X authentication where there is an EAP Supplicant
(also known as EAP peer), pass-through authenticator, and a RADIUS
server. This solution has an SSH client that is similar to EAP
supplicant, an SSH server similar to pass-through authenticator, and
a RADIUS server. The SSH transport protocol defined in RFC 4253 MUST
be used as the lower layer of the EAP. The SSH transport protocol
satisfies all the requirements of the EAP lower layer defined in the
section 3.1 of the RFC 3748.
* Unreliable transport: Even though the EAP assumes that the lower
layer can be a unreliable transport and has retransmission built
into EAP itself. The SSH transport protocol is a reliable
transport protocol and handles its own retransmission when used
over TCP/IP. RFC 793 section 3.7 has the details of data
communication and retransmission behavior of TCP.
* Lower layer error detection: Error detection must be provided by
the EAP lower layer and SSH TP does that using the sequence
numbers in the TCP packets. This is detailed in the section 3.3
of the RFC 793.
* Lower layer security: EAP does not require lower layers to provide
security services, however SSH TP over TCP provides for
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 5]
Internet-Draft SSL Cert Radius December 2021
* Data integrity: as detailed in section 6.4 of RFC 4253 and section
9.3.2 of RFC 4251
* Replay protection: as detailed in section 9.3.3 of RFC 4251
* Authentication: as detailed in section 9.4 of RFC 4251
* Confidentiality: as detailed in section 6.3 of RFC 4253 and
section 9.3.1
* Minimum MTU: EAP requires the lower layer to support 1020 bytes or
higher MTU. SSH TP satisfies this requirement. In a typical TCP/
IP network the MTU is by default set to 1500 bytes which satisfies
the requirement for EAP.
* Possible duplication: while it is desirable that lower layers
provide for non-duplication, this is not a requirement.
* Ordering guarantees: Lower layer transports for EAP MUST preserve
ordering between a source and destination at a given priority
level (the ordering guarantee provided by [IEEE-802]). SSH TP
when used over TCP/IP guarantees ordered delivery of data from
source to destination. Section 2.6 of RFC 793 details the use of
sequence numbers in TCP.
The SSH client MUST support certificate-based authentication for the
SSH session. The SSH client MUST also have a X.509 client
certificate installed on the operating system. The client
certificate MUST have "client authentication" as value in the
enhanced key usage field of the certificate. This will ensure that
the client is ready to complete SSH authentication using the
installed X.509 client certificate.
The SSH server MUST be configured to send SSH authentication requests
to a RADIUS server.
The RADIUS server MUST have an X.509 server certificate installed on
the operating system. The server certificate MUST have ''server
authentication" as value in the enhanced key usage field of the
certificate. This will ensure that the RADIUS server is ready to
authenticate SSH clients using certificates. The RADIUS server MUST
also be configured to do EAP-TLS authentication as described in
[RFC3748].
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 6]
Internet-Draft SSL Cert Radius December 2021
3.2. EAP TLS authentication
Although other inner methods of EAP could be supported for
authentication here such as EAP-MSCHAP, EAP-MD5 or EAP-FAST etc,
however they do not provide much benefit over the current password
based authentication that exist. This draft only focuses on the EAP-
TLS inner method as that gives the ability to allow certificate based
authentication.
The SSH client will initiate an SSH connection to the SSH server.
The SSH server drives the authentication by telling the SSH client
which authentication methods can be used during the session.
The SSH client MUST choose a client certificate installed in the
operating system as described in the section 2.1 Basic Setup. If
there are multiple client certificates then the SSH client SHOULD
choose a client certificate. If there is no certificate installed on
the SSH client, then the client MAY choose another authentication
methods defined in [RFC4251].
The SSH client initiates an SSH session to the SSH server. The SSH
server upon receiving the connection request MUST initiate the EAP-
TLS authentication by sending an EAP identity request to the SSH
client.
The SSH client picks the common name from the user certificate and
sends that as the EAP identity back to the SSH server.
3.3. RADIUS Access Request
The SSH server constructs a RADIUS authentication request and MUST
set the service type = Cert Login. This service type will be an
indication to the RADIUS server to use EAP-TLS authentication method
for that SSH session.
The RADIUS server MUST use EAP-TLS authentication for this session.
RADIUS server sends a response back to the SSH server as Radius
Access Challenge(EAP-Message(Code=Request TYPE=TLS EAP(EAP-TLS)))
The SSH server strips the EAP message from the RADIUS packet received
and forwards it to the SSH client. The message is (EAP-
Message(Code=Request TYPE=TLS EAP(EAP-TLS)).
The SSH client starts the TLS handshake by sending the EAP-
Message(TLS Client Hello) to the SSH server. The SSH server takes
the EAP message received in the previous step and wraps it in the
RADIUS access request and sends it to the RADIUS server. The message
is Radius Access Request(EAP-Message(TLS Client Hello)).
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 7]
Internet-Draft SSL Cert Radius December 2021
Upon receipt of this message the RADIUS server processes the client
hello message and sends a reply back to the SSH server with server
hello, server certificate, server key exchange and certificate
request. The message is Radius Access Challenge(EAP-Message(Server
Hello, Server Certificate, Server Key exchange, Certificate
Request).
The SSH server strips the EAP message from the RADIUS packet received
in the previous step and forwards it to the SSH client. The message
is EAP-Message(Server Hello, Server Certificate, Server Key exchange,
Certificate Request). The SSH client validates the server root
certificate installed. The SSH client moves ahead in the TLS
handshake process and sends the client certificate in a message to
the SSH server EAP-Message(TLS Client Certificate, TLS Client key
exchange, TLS Certificate Verify)).
The SSH server takes the EAP message received in the previous step
and wraps it in the RADIUS access request and sends it to the RADIUS
server. The message is Radius Access Request(EAP-Message(TLS Client
Certificate, TLS Client key exchange, TLS Certificate Verify)).
The RADIUS server validates the client certificate using the root CA
certificate chain. RADIUS server sends a TLS finished message to the
SSH server. The message is Radius Access Challenge(EAP-Message(TLS
Finished)).
The SSH server strips the EAP message from the RADIUS packet received
in the previous step and forwards it to the SSH client. The message
is EAP-Message(TLS Finished). The SSH client moves ahead in the EAP
phase and sends the next message. The message is EAP-
Message(TYPE=EAP-TLS)).
The SSH server takes the EAP message received in the previous step
and wraps it in the RADIUS access request and sends it to the RADIUS
server. The message is Radius Access Request(EAP-Message(TYPE=EAP-
TLS)).
RADIUS server processes the previous request and at this the EAP
authentication is successful. The message sent back to the SSH
server is Radius Accept(EAP-Message(EAP-Success)). The SSH server
strips the EAP message from the RADIUS packet received in the
previous step and forwards it to the SSH client. The message is EAP-
Message(EAP-Success).
The SSH session is established at this point. A message to this
effect is sent to the SSH client from the SSH server.
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 8]
Internet-Draft SSL Cert Radius December 2021
3.4. Radius Accounting Request
Endpoint VNF/CNF Radius Server
(SSH Client) (SSH/EAP Server) (AAA Server)
+---+------+ +--------+-----+ +-------+---+
| | |
| SSH Request to VM | |
|-------------------------->| |
| | |
| EAP Identity Request | |
|<--------------------------| |
| | |
| EAP Identity Response | |
| (CN from User Cert) | |
|-------------------------->| |
| | Radius Access Request |
| | (ST: Cert Login) |
| | EAP Msg: Identity |
| | (ID: CN from User Cert) |
| |------------------------>|
| | |
| | Radius Access Challenge |
| | (EAP Message |
| | RT: TLS EAP(EAP-TLS) |
| (EAP Message |<------------------------|
| RT: TLS EAP(EAP-TLS) | |
|<--------------------------| |
| | |
| EAP Message | |
| (TLS Client Hello) | |
|-------------------------->| |
| | Radius Access Request |
| | EAP-Message: |
| | (TLS client hello) |
| |------------------------>|
| | |
| | Cert Login |--+
| | supported | |
| | |<-+
| | |
| | Radius Access Challenge |
| | (EAP Message: |
| | Server Hello, |
| (EAP Message: | Server Cert, |
| Server Hello, | Key Exchange, |
| Server Cert, | Cert Request) |
| Key Exchange, |<------------------------|
| Cert Request) | |
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 9]
Internet-Draft SSL Cert Radius December 2021
|<--------------------------| |
| | |
|--+ Server Cert | |
| | Validation | |
|<-+ | |
| | |
| EAP message | |
| (TLS Client Certificate | |
| TLS Client Key Xchange | |
| TLS Cert Verify) | Radius Access Request |
|-------------------------->| (EAP message |
| | (TLS Client Certificate |
| | (TLS Client Key Xchange |
| | TLS Cert Verify) |
| |-------------------------|
| | |
| | Client Cert |--+
| | Validated | |
| | |<-+
| | |
| | |
| | Radius Access Challenge |
| | (EAP Message: |
| | TLS Finished) |
| |<------------------------|
| TLS Finished) | |
|<--------------------------| |
| | |
| EAP Message | |
| (Type: EAP-TLS) | |
|-------------------------->| |
| | Radius Access Request |
| | EAP Msg(Type: EAP-TLS) |
| |------------------------>|
| | |
| | Radius Access Accept |
| | (EAP Message: |
| | EAP-Success) |
| |<------------------------|
| EAP Success | |
|<--------------------------| |
| | |
| Session Established | |
|<--------------------------| |
| | |
Legends: CN: Common Name ST: Service Type RT: Request Type
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 10]
Internet-Draft SSL Cert Radius December 2021
Figure 2: Radius Accounting Request Flow
3.5. Radius Access Accept
As shown in Figure 2, when the Radius server supports the new
service-type, it sends a Radius Access Accept message. In case where
server does not support the certificate-based login type, it responds
with Radius Access Reject response indicating the new login not
supported. The corresponding call flow is shown in Figure 3.
Endpoint VNF/CNF Radius Server
(SSH Client) (SSH/EAP Server) (AAA Server)
+---+------+ +--------+-----+ +-------+---+
| | |
| SSH Request to VM | |
|-------------------------->| |
| | |
| EAP Identity Request | |
|<--------------------------| |
| | |
| EAP Identity Response | |
| (CN from User Cert) | |
|-------------------------->| |
| | Radius Access Request |
| | (ST: Cert Login) |
| | EAP Msg: Identity |
| | (ID: CN from User Cert) |
| |------------------------>|
| | |
| | Radius Access Reject |
| | (Login Not Supported*) |
| (EAP Failure |<------------------------|
| Cert login Not Supported) | |
|<--------------------------| |
| | |
Legends: CN: Common Name ST: Service Type RT: Request Type
Figure 3: AAA Server Does not Support Service Type
4. Protocol Details
Operation is identical to that defined in [RFC2865], [RFC5216], and
[RFC4252].
4.1. Packet Format
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 11]
Internet-Draft SSL Cert Radius December 2021
4.2. Packet Types
The RADIUS Packet type is determined by the 'Code' field in the first
octet of the packet.
4.2.1. Access Request
The Access-Request packet type is same as defined in [RFC2865]. Here
is a summary of the Access-Request packet format as shown in
Figure 4. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Request Authenticator |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Figure 4: Access Request Packet Format
Within the same framework, this draft adds a new service-type
attribute value that will be sent in the Access-Request packet.
4.3. Attributes
4.3.1. Service Type
The 'Type' attribute value will have the same format as the service-
type field defined in [RFC2865] and is shown in Figure 5. The fields
are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value (cont.) |
|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Service Type Encoding
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 12]
Internet-Draft SSL Cert Radius December 2021
Type
* 6 for Service-Type
Length
* 6 bytes
Value: the current types supported are as follows.
* Login
* Framed
* Callback Login
* Callback Framed
* Outbound
* Administrative
* NAS Prompt
* Authenticate Only
* Callback NAS Prompt
* Call Check
* Callback Administrative
This draft introduces a new service-type value as below.
* Cert Login
The Cert Login value shall be used by AAA Client in an Access-Request
packet to indicate to the RADIUS server that EAP-TLS authentication
needs to be used for this session. It is recommended that the
endpoint shall have a client certificate installed and ready to be
used during the authentication.
5. IANA Considerations
This section provides guidance to the Internet Assigned Numbers
Authority (IANA) regarding registration of values related to the
RADIUS protocol, in accordance with [RFC8126].
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 13]
Internet-Draft SSL Cert Radius December 2021
A new attribute is proposed to be added to the RADIUS Radius Access
Request in the Service-Type Enum.
6. Security Considerations
The user certificate used by the clients must be stored in a non-
shared location of the operating system. This will ensure that the
users on the same system are not able to use each other certificates.
All the security considerations apply from the RFC 2865 as well.
7. Summary
A scalable, centralized, and standard-based method for management of
user login authentication is described. The proposal comprise of an
enhancement to the RADIUS protocol message and certain server side
enhancements shall be required to support the new functionality.
Once implemented, the enhanced server shall provide an improved user
experience involving a high frequency and a high scale of user
authentication across a range of interconnected agents (e.g. client
and servers). The enhancement provides an improved configuration and
management of the authentication infrastructure and reduces the
overhead related to deployment of root and intermediate certificates
at individual network nodes. This enhancement not only makes the
initial setup easier, but also revocation check easier due to the
centralized design. Addition and retirement of root and intermediate
certificates are among the most time saving aspects of the proposed
enhancement.
8. Acknowledgments
We are grateful for the input from IESG members and from a number of
individual members of the IETF community who share our concern for
doing the right thing.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, DOI 10.17487/RFC2865, June 2000,
<https://www.rfc-editor.org/info/rfc2865>.
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 14]
Internet-Draft SSL Cert Radius December 2021
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004,
<https://www.rfc-editor.org/info/rfc3748>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", January 2005,
<https://tools.ietf.org/html/rfc3986#section-3.3>.
[RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251,
January 2006, <https://www.rfc-editor.org/info/rfc4251>.
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252,
January 2006, <https://www.rfc-editor.org/info/rfc4252>.
[RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", RFC 5216, DOI 10.17487/RFC5216,
March 2008, <https://www.rfc-editor.org/info/rfc5216>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
9.2. Informative References
[RFC3987] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", January 2005,
<https://tools.ietf.org/html/rfc3986#section-3.3>.
Authors' Addresses
Devendra Vishwakarma
Cisco Systems
Apex, North Carolina 27523
United States of America
Email: dvishwak@cisco.com
Prakash Suthar
Google Inc.
Mountain View, California 94043
United States of America
Email: psuthar@google.com
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 15]
Internet-Draft SSL Cert Radius December 2021
Vivek Agarwal
Cisco Systems
Apex, North Carolina 27523
United States of America
Email: vivagarw@cisco.com
Anil Jangam (editor)
Cisco Systems
San Jose, California 95134
United States of America
Email: anjangam@cisco.com
Devendra Vishwakarma, et alExpires 1 July 2022 [Page 16]