Minutes of the Terminal Server Accounting and Authentication BOF (TERMACCT)
                        23RD IETF,  San Diego, CA

  Reported by Larry J. Blunk


   Discussion began with the distinguishing features of a Network Access 
Server (NAS).  The concept of a NAS is considered to be an abstraction.   For
example, a Unix host with async ports could very well be considered a NAS.
The difference between a NAS and a router is the notion of session based
services which can be authenticated and authorized.

   It was questioned whether the Authentication, Authorization, and
Accounting (AAA) servers would be running as separate servers or perhaps in
the NAS itself.  Again the concept of AAA servers were viewed as a logical
abstraction.  The AAA servers could indeed be separate or in fact all run
on the same machine.

   Mention was made of the possibility of providing for interdomain AAA
services.  Some thought that this should be of primary concern in the
design process.  The DNS was used as example of a hierarchical domain of
servers.

   Propagation of authentication information was discussed.  It would be
desirable to not have to re-authenticate the user for each service requested.

   There were questions asked concerning how Kerberos could be used as the
authentication mechanism.  While it would work fine for dumb terminals
and PPP's PAP protocol, PPP's CHAP protocol presents difficulties.

   There was discussion of authorization and how configuration parameters
are retrieved.  Authorization needs to be kept distinct from configuration.
Authorization information could be retrieved using a query and response
mechanism or all at once.  This is an implementation issue.

   The purpose of a NAS Working Group was discussed.  Should it define
the necessary standards, or use a liaison structure (similar to the Security
Working Group)?  While authentication and accounting are currently being
addressed, there are no groups currently working on authorization.  This
is a big issue.  A NAS Working Group could specify NAS specific authorization,
but it would be desirable to make it extensible rather than limit it to
NAS use only.  Some discussion was given to providing a mechanism for a
common user interface.  It was generally agreed that this would be outside
the scope of the group.

   There was some speculation that the requirements for dumb terminal access
and framed serial line services differed substantially enough to warrant
independent sub-groups.  However, there were many who thought that
there was enough common overlap to require a single group.   The name
NAAAG was suggested as possible acronym for the group.

   The consensus of the BOF was that a NAS Working Group is needed and that
the requirements document needs  to be further refined.  It was also mentioned
that those areas outside the scope of the Working Group should be defined.
There is also need for communication and coordination with existing
Working Groups.