idnits 2.17.1 draft-ietf-radext-rfc2618bis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1058. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1035. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1042. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1048. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 26, 2006) is 6513 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2618 (if approved) June 26, 2006 5 Expires: December 28, 2006 7 RADIUS Authentication Client MIB for IPV6 8 draft-ietf-radext-rfc2618bis-04.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on December 28, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions, which instrument RADIUS 42 authentication client functions. These extensions represent a 43 portion of the Management Information Base (MIB) for use with network 44 management protocols in the Internet community. Using these 45 extensions IP-based management stations can manage RADIUS 46 authentication clients. 48 This memo obsoletes RFC 2618 by deprecating the MIB table containing 49 IPv4-only address formats and defining a new table to add support for 50 version neutral IP address formats. The remaining MIB objects from 51 RFC 2618 are carried forward into this document. The memo also adds 52 UNITS and REFERENCE clauses to selected objects. 54 Table of Contents 56 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The Internet-Standard Management Framework . . . . . . . . . . 3 59 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 64 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 65 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 66 10.1. Normative References . . . . . . . . . . . . . . . . . . 22 67 10.2. Informative References . . . . . . . . . . . . . . . . . 22 68 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 70 Intellectual Property and Copyright Statements . . . . . . . . . . 24 72 1. Terminology 74 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 75 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 76 document are to be interpreted as described in RFC 2119 [RFC2119]. 78 This document uses terminology from RFC 2865 [RFC2865]. 80 This document uses the word "malformed" with respect to RADIUS 81 packets, particularly in the context of counters of "malformed 82 packets". While RFC 2865 does not provide an explicit definition of 83 "malformed", malformed generally means that the implementation has 84 determined the packet does not match the format defined in RFC 2865. 85 Some implementations may determine that packets are malformed when 86 the Vendor Specific Attribute (VSA) format does not follow the RFC 87 2865 recommendations for VSAs. Those implementations are used in 88 deployments today, and thus set the de-facto definition of 89 "malformed". 91 2. Introduction 93 This memo defines a portion of the Management Information Base (MIB) 94 for use with network management protocols in the Internet community. 95 The objects defined within this memo relate to the Remote 96 Authentication Dial-In User Service (RADIUS) Authentication Client as 97 defined in RFC 2865 [RFC2865]. 99 3. The Internet-Standard Management Framework 101 For a detailed overview of the documents that describe the current 102 Internet-Standard Management Framework, please refer to section 7 of 103 RFC 3410 [RFC3410]. 105 Managed objects are accessed via a virtual information store, termed 106 the Management Information Base or MIB. MIB objects are generally 107 accessed through the Simple Network Management Protocol (SNMP). 108 Objects in the MIB are defined using the mechanisms defined in the 109 Structure of Management Information (SMI). This memo specifies a MIB 110 module that is compliant to the SMIv2, which is described in STD 58, 111 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 112 [RFC2580]. 114 4. Scope of Changes 116 This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication 117 Client MIB, by deprecating the radiusAuthServerTable table and adding 118 a new table, radiusAuthServerExtTable, containing 119 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 120 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 121 objects is to support version neutral IP addressing formats. The 122 existing table containing radiusAuthServerAddress and 123 radiusAuthClientServerPortNumber is deprecated. The remaining MIB 124 objects are carried forward from RFC 2618 into this document. This 125 memo also adds UNITS and REFERENCE clauses to selected objects. 127 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 128 IPv6 addresses, contains the following recommendation. 130 'In particular, when revising a MIB module that contains IPv4 131 specific tables, it is suggested to define new tables using the 132 textual conventions defined in this memo [RFC4001] that support all 133 versions of IP. The status of the new tables SHOULD be "current", 134 whereas the status of the old IP version specific tables SHOULD be 135 changed to "deprecated". The other approach, of having multiple 136 similar tables for different IP versions, is strongly discouraged.' 138 5. Structure of the MIB Module 140 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 141 distinguishes between the client function and the server function. 142 In RADIUS authentication, clients send Access-Requests, and servers 143 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 144 Typically Network Access Server (NAS) devices implement the client 145 function, and thus would be expected to implement the RADIUS 146 authentication client MIB, while RADIUS authentication servers 147 implement the server function, and thus would be expected to 148 implement the RADIUS authentication server MIB. 150 However, it is possible for a RADIUS authentication entity to perform 151 both client and server functions. For example, a RADIUS proxy may 152 act as a server to one or more RADIUS authentication clients, while 153 simultaneously acting as an authentication client to one or more 154 authentication servers. In such situations, it is expected that 155 RADIUS entities combining client and server functionality will 156 support both the client and server MIBs. The client MIB is defined 157 in this document, and the server MIB is defined in [2619bis]. 159 RFC Editor: Replace the above I-D reference with the assigned RFC 160 number at the time of publication and delete this note. 162 This MIB module contains two scalars as well as a single table, the 163 RADIUS Authentication Server Table, which contains one row for each 164 RADIUS authentication server with which the client shares a secret. 165 Each entry in the RADIUS Authentication Server Table includes sixteen 166 columns presenting a view of the activity of the RADIUS 167 authentication client. 169 6. Deprecated Objects 171 The deprecated table in this MIB is carried forward from RFC 2618 172 [RFC2618]. There are two conditions under which it MAY be desirable 173 for managed entities to continue to support the deprecated table: 175 1. The managed entity only supports IPv4 address formats. 176 2. The managed entity supports both IPv4 and IPv6 address formats, 177 and the deprecated table is supported for backwards compatibility 178 with older management stations. This option SHOULD only be used 179 when the IP addresses in the new table are in IPv4 format and can 180 accurately be represented in both the new table and the 181 deprecated table. 183 Managed entities SHOULD NOT instantiate row entries in the deprecated 184 table, containing IPv4-only address objects, when the RADIUS server 185 address represented in such a table row is not an IPv4 address. 186 Managed entities SHOULD NOT return inaccurate values of IP address or 187 SNMP object access errors for IPv4-only address objects in otherwise 188 populated tables. When row entries exist in both the deprecated 189 IPv4-only table and the new IP version neutral table that describe 190 the same RADIUS server, the row indexes SHOULD be the same for the 191 corresponding rows in each table, to facilitate correlation of these 192 related rows by management applications. 194 7. Definitions 196 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 198 IMPORTS 199 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 200 Counter32, Integer32, Gauge32, 201 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 202 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 203 InetAddressType, InetAddress, 204 InetPortNumber FROM INET-ADDRESS-MIB 205 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 207 radiusAuthClientMIB MODULE-IDENTITY 208 LAST-UPDATED "200605100000Z" -- 10 May 2006 209 ORGANIZATION "IETF RADIUS Extensions Working Group." 210 CONTACT-INFO 211 " Bernard Aboba 212 Microsoft 213 One Microsoft Way 214 Redmond, WA 98052 215 US 216 Phone: +1 425 936 6605 217 EMail: bernarda@microsoft.com" 218 DESCRIPTION 219 "The MIB module for entities implementing the client 220 side of the Remote Authentication Dial-In User Service 221 (RADIUS) authentication protocol. Copyright (C) The 222 Internet Society (2006). This version of this MIB 223 module is part of RFC xxxx; see the RFC itself for 224 full legal notices." 226 -- RFC Editor: replace xxxx with actual RFC number at the time of 227 -- publication, and remove this note. 229 REVISION "200605100000Z" -- 10 May 2006 230 DESCRIPTION 231 "Revised version as published in RFC xxxx. This 232 version obsoletes that of RFC 2618 by deprecating 233 the MIB table containing IPv4-only address formats 234 and defining a new table to add support for version 235 neutral IP address formats. The remaining MIB objects 236 from RFC 2618 are carried forward into this version." 238 -- RFC Editor: replace xxxx with actual RFC number at the time of 239 -- publication, and remove this note. 241 REVISION "199906110000Z" -- 11 Jun 1999 242 DESCRIPTION "Initial version as published in RFC 2618." 243 ::= { radiusAuthentication 2 } 245 radiusMIB OBJECT-IDENTITY 246 STATUS current 247 DESCRIPTION 248 "The OID assigned to RADIUS MIB work by the IANA." 249 ::= { mib-2 67 } 251 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 253 radiusAuthClientMIBObjects OBJECT IDENTIFIER 254 ::= { radiusAuthClientMIB 1 } 256 radiusAuthClient OBJECT IDENTIFIER 257 ::= { radiusAuthClientMIBObjects 1 } 259 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 260 SYNTAX Counter32 261 UNITS "packets" 262 MAX-ACCESS read-only 263 STATUS current 264 DESCRIPTION 265 "The number of RADIUS Access-Response packets 266 received from unknown addresses." 267 ::= { radiusAuthClient 1 } 269 radiusAuthClientIdentifier OBJECT-TYPE 270 SYNTAX SnmpAdminString 271 MAX-ACCESS read-only 272 STATUS current 273 DESCRIPTION 274 "The NAS-Identifier of the RADIUS authentication client. 275 This is not necessarily the same as sysName in MIB II." 276 REFERENCE "RFC 2865 section 5.32" 277 ::= { radiusAuthClient 2 } 279 radiusAuthServerTable OBJECT-TYPE 280 SYNTAX SEQUENCE OF RadiusAuthServerEntry 281 MAX-ACCESS not-accessible 282 STATUS deprecated 283 DESCRIPTION 284 "The (conceptual) table listing the RADIUS authentication 285 servers with which the client shares a secret." 286 ::= { radiusAuthClient 3 } 288 radiusAuthServerEntry OBJECT-TYPE 289 SYNTAX RadiusAuthServerEntry 290 MAX-ACCESS not-accessible 291 STATUS deprecated 292 DESCRIPTION 293 "An entry (conceptual row) representing a RADIUS 294 authentication server with which the client shares 295 a secret." 296 INDEX { radiusAuthServerIndex } 297 ::= { radiusAuthServerTable 1 } 299 RadiusAuthServerEntry ::= SEQUENCE { 300 radiusAuthServerIndex Integer32, 301 radiusAuthServerAddress IpAddress, 302 radiusAuthClientServerPortNumber Integer32, 303 radiusAuthClientRoundTripTime TimeTicks, 304 radiusAuthClientAccessRequests Counter32, 305 radiusAuthClientAccessRetransmissions Counter32, 306 radiusAuthClientAccessAccepts Counter32, 307 radiusAuthClientAccessRejects Counter32, 308 radiusAuthClientAccessChallenges Counter32, 309 radiusAuthClientMalformedAccessResponses Counter32, 310 radiusAuthClientBadAuthenticators Counter32, 311 radiusAuthClientPendingRequests Gauge32, 312 radiusAuthClientTimeouts Counter32, 313 radiusAuthClientUnknownTypes Counter32, 314 radiusAuthClientPacketsDropped Counter32 315 } 317 radiusAuthServerIndex OBJECT-TYPE 318 SYNTAX Integer32 (1..2147483647) 319 MAX-ACCESS not-accessible 320 STATUS deprecated 321 DESCRIPTION 322 "A number uniquely identifying each RADIUS 323 Authentication server with which this client 324 communicates." 325 ::= { radiusAuthServerEntry 1 } 327 radiusAuthServerAddress OBJECT-TYPE 328 SYNTAX IpAddress 329 MAX-ACCESS read-only 330 STATUS deprecated 331 DESCRIPTION 332 "The IP address of the RADIUS authentication server 333 referred to in this table entry." 334 ::= { radiusAuthServerEntry 2 } 336 radiusAuthClientServerPortNumber OBJECT-TYPE 337 SYNTAX Integer32 (0..65535) 338 MAX-ACCESS read-only 339 STATUS deprecated 340 DESCRIPTION 341 "The UDP port the client is using to send requests to 342 this server." 343 REFERENCE "RFC 2865 section 3" 344 ::= { radiusAuthServerEntry 3 } 346 radiusAuthClientRoundTripTime OBJECT-TYPE 347 SYNTAX TimeTicks 348 MAX-ACCESS read-only 349 STATUS deprecated 350 DESCRIPTION 351 "The time interval (in hundredths of a second) between 352 the most recent Access-Reply/Access-Challenge and the 353 Access-Request that matched it from this RADIUS 354 authentication server." 355 ::= { radiusAuthServerEntry 4 } 357 -- Request/Response statistics 358 -- 359 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 360 -- UnknownTypes 361 -- 362 -- TotalIncomingPackets - MalformedResponses - 363 -- BadAuthenticators - UnknownTypes - PacketsDropped = 364 -- Successfully received 365 -- 366 -- AccessRequests + PendingRequests + ClientTimeouts = 367 -- Successfully received 368 -- 369 -- 371 radiusAuthClientAccessRequests OBJECT-TYPE 372 SYNTAX Counter32 373 UNITS "packets" 374 MAX-ACCESS read-only 375 STATUS deprecated 376 DESCRIPTION 377 "The number of RADIUS Access-Request packets sent 378 to this server. This does not include retransmissions." 379 REFERENCE "RFC 2865 section 4.1" 380 ::= { radiusAuthServerEntry 5 } 382 radiusAuthClientAccessRetransmissions OBJECT-TYPE 383 SYNTAX Counter32 384 UNITS "packets" 385 MAX-ACCESS read-only 386 STATUS deprecated 387 DESCRIPTION 388 "The number of RADIUS Access-Request packets 389 retransmitted to this RADIUS authentication server." 390 REFERENCE "RFC 2865 sections 2.5, 4.1" 391 ::= { radiusAuthServerEntry 6 } 393 radiusAuthClientAccessAccepts OBJECT-TYPE 394 SYNTAX Counter32 395 UNITS "packets" 396 MAX-ACCESS read-only 397 STATUS deprecated 398 DESCRIPTION 399 "The number of RADIUS Access-Accept packets 400 (valid or invalid) received from this server." 402 REFERENCE "RFC 2865 section 4.2" 403 ::= { radiusAuthServerEntry 7 } 405 radiusAuthClientAccessRejects OBJECT-TYPE 406 SYNTAX Counter32 407 UNITS "packets" 408 MAX-ACCESS read-only 409 STATUS deprecated 410 DESCRIPTION 411 "The number of RADIUS Access-Reject packets 412 (valid or invalid) received from this server." 413 REFERENCE "RFC 2865 section 4.3" 414 ::= { radiusAuthServerEntry 8 } 416 radiusAuthClientAccessChallenges OBJECT-TYPE 417 SYNTAX Counter32 418 UNITS "packets" 419 MAX-ACCESS read-only 420 STATUS deprecated 421 DESCRIPTION 422 "The number of RADIUS Access-Challenge packets 423 (valid or invalid) received from this server." 424 REFERENCE "RFC 2865 section 4.4" 425 ::= { radiusAuthServerEntry 9 } 427 -- "Access-Response" includes an Access-Accept, Access-Challenge 428 -- or Access-Reject 430 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 431 SYNTAX Counter32 432 UNITS "packets" 433 MAX-ACCESS read-only 434 STATUS deprecated 435 DESCRIPTION 436 "The number of malformed RADIUS Access-Response 437 packets received from this server. 438 Malformed packets include packets with 439 an invalid length. Bad authenticators or 440 Message Authenticator attributes or unknown types 441 are not included as malformed access responses." 442 ::= { radiusAuthServerEntry 10 } 444 radiusAuthClientBadAuthenticators OBJECT-TYPE 445 SYNTAX Counter32 446 UNITS "packets" 447 MAX-ACCESS read-only 448 STATUS deprecated 449 DESCRIPTION 450 "The number of RADIUS Access-Response packets 451 containing invalid authenticators or Message 452 Authenticator attributes received from this server." 453 REFERENCE "RFC 2865 section 3, RFC 2869 section 5.14" 454 ::= { radiusAuthServerEntry 11 } 456 radiusAuthClientPendingRequests OBJECT-TYPE 457 SYNTAX Gauge32 458 MAX-ACCESS read-only 459 STATUS deprecated 460 DESCRIPTION 461 "The number of RADIUS Access-Request packets 462 destined for this server that have not yet timed out 463 or received a response. This variable is incremented 464 when an Access-Request is sent and decremented due to 465 receipt of an Access-Accept, Access-Reject or 466 Access-Challenge, a timeout or retransmission." 467 REFERENCE "RFC 2865 section 2" 468 ::= { radiusAuthServerEntry 12 } 470 radiusAuthClientTimeouts OBJECT-TYPE 471 SYNTAX Counter32 472 UNITS "timeouts" 473 MAX-ACCESS read-only 474 STATUS deprecated 475 DESCRIPTION 476 "The number of authentication timeouts to this server. 477 After a timeout the client may retry to the same 478 server, send to a different server, or 479 give up. A retry to the same server is counted as a 480 retransmit as well as a timeout. A send to a different 481 server is counted as a Request as well as a timeout." 482 REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" 483 ::= { radiusAuthServerEntry 13 } 485 radiusAuthClientUnknownTypes OBJECT-TYPE 486 SYNTAX Counter32 487 UNITS "packets" 488 MAX-ACCESS read-only 489 STATUS deprecated 490 DESCRIPTION 491 "The number of RADIUS packets of unknown type which 492 were received from this server on the authentication 493 port." 494 ::= { radiusAuthServerEntry 14 } 496 radiusAuthClientPacketsDropped OBJECT-TYPE 497 SYNTAX Counter32 498 UNITS "packets" 499 MAX-ACCESS read-only 500 STATUS deprecated 501 DESCRIPTION 502 "The number of RADIUS packets of which were 503 received from this server on the authentication port 504 and dropped for some other reason." 505 ::= { radiusAuthServerEntry 15 } 507 -- New MIB Objects in this revision 509 radiusAuthServerExtTable OBJECT-TYPE 510 SYNTAX SEQUENCE OF RadiusAuthServerExtEntry 511 MAX-ACCESS not-accessible 512 STATUS current 513 DESCRIPTION 514 "The (conceptual) table listing the RADIUS authentication 515 servers with which the client shares a secret." 516 ::= { radiusAuthClient 4 } 518 radiusAuthServerExtEntry OBJECT-TYPE 519 SYNTAX RadiusAuthServerExtEntry 520 MAX-ACCESS not-accessible 521 STATUS current 522 DESCRIPTION 523 "An entry (conceptual row) representing a RADIUS 524 authentication server with which the client shares 525 a secret." 526 INDEX { radiusAuthServerExtIndex } 527 ::= { radiusAuthServerExtTable 1 } 529 RadiusAuthServerExtEntry ::= SEQUENCE { 530 radiusAuthServerExtIndex Integer32, 531 radiusAuthServerInetAddressType InetAddressType, 532 radiusAuthServerInetAddress InetAddress, 533 radiusAuthClientServerInetPortNumber InetPortNumber, 534 radiusAuthClientExtRoundTripTime TimeTicks, 535 radiusAuthClientExtAccessRequests Counter32, 536 radiusAuthClientExtAccessRetransmissions Counter32, 537 radiusAuthClientExtAccessAccepts Counter32, 538 radiusAuthClientExtAccessRejects Counter32, 539 radiusAuthClientExtAccessChallenges Counter32, 540 radiusAuthClientExtMalformedAccessResponses Counter32, 541 radiusAuthClientExtBadAuthenticators Counter32, 542 radiusAuthClientExtPendingRequests Gauge32, 543 radiusAuthClientExtTimeouts Counter32, 544 radiusAuthClientExtUnknownTypes Counter32, 545 radiusAuthClientExtPacketsDropped Counter32, 546 radiusAuthClientCounterDiscontinuity TimeTicks 547 } 549 radiusAuthServerExtIndex OBJECT-TYPE 550 SYNTAX Integer32 (1..2147483647) 551 MAX-ACCESS not-accessible 552 STATUS current 553 DESCRIPTION 554 "A number uniquely identifying each RADIUS 555 Authentication server with which this client 556 communicates." 557 ::= { radiusAuthServerExtEntry 1 } 559 radiusAuthServerInetAddressType OBJECT-TYPE 560 SYNTAX InetAddressType 561 MAX-ACCESS read-only 562 STATUS current 563 DESCRIPTION 564 "The type of address format used for the 565 radiusAuthServerInetAddress object." 566 ::= { radiusAuthServerExtEntry 2 } 568 radiusAuthServerInetAddress OBJECT-TYPE 569 SYNTAX InetAddress 570 MAX-ACCESS read-only 571 STATUS current 572 DESCRIPTION 573 "The IP address of the RADIUS authentication 574 server referred to in this table entry, using 575 the version neutral IP address format." 576 ::= { radiusAuthServerExtEntry 3 } 578 radiusAuthClientServerInetPortNumber OBJECT-TYPE 579 SYNTAX InetPortNumber ( 1..65535 ) 580 MAX-ACCESS read-only 581 STATUS current 582 DESCRIPTION 583 "The UDP port the client is using to send requests 584 to this server. The value of zero (0) is invalid." 585 REFERENCE "RFC 2865 section 3" 586 ::= { radiusAuthServerExtEntry 4 } 588 radiusAuthClientExtRoundTripTime OBJECT-TYPE 589 SYNTAX TimeTicks 590 MAX-ACCESS read-only 591 STATUS current 592 DESCRIPTION 593 "The time interval (in hundredths of a second) between 594 the most recent Access-Reply/Access-Challenge and the 595 Access-Request that matched it from this RADIUS 596 authentication server." 597 REFERENCE "RFC 2865 section 2" 598 ::= { radiusAuthServerExtEntry 5 } 600 -- Request/Response statistics 601 -- 602 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 603 -- UnknownTypes 604 -- 605 -- TotalIncomingPackets - MalformedResponses - 606 -- BadAuthenticators - UnknownTypes - PacketsDropped = 607 -- Successfully received 608 -- 609 -- AccessRequests + PendingRequests + ClientTimeouts = 610 -- Successfully received 611 -- 612 -- 614 radiusAuthClientExtAccessRequests OBJECT-TYPE 615 SYNTAX Counter32 616 UNITS "packets" 617 MAX-ACCESS read-only 618 STATUS current 619 DESCRIPTION 620 "The number of RADIUS Access-Request packets sent 621 to this server. This does not include retransmissions. 622 This counter may experience a discontinuity when the 623 RADIUS Client module within the managed entity is 624 reinitialized, as indicated by the current value of 625 radiusAuthClientCounterDiscontinuity." 626 REFERENCE "RFC 2865 section 4.1" 627 ::= { radiusAuthServerExtEntry 6 } 629 radiusAuthClientExtAccessRetransmissions OBJECT-TYPE 630 SYNTAX Counter32 631 UNITS "packets" 632 MAX-ACCESS read-only 633 STATUS current 634 DESCRIPTION 635 "The number of RADIUS Access-Request packets 636 retransmitted to this RADIUS authentication server. 637 This counter may experience a discontinuity when 638 the RADIUS Client module within the managed entity 639 is reinitialized, as indicated by the current value 640 of radiusAuthClientCounterDiscontinuity." 641 REFERENCE "RFC 2865 sections 2.5, 4.1" 642 ::= { radiusAuthServerExtEntry 7 } 644 radiusAuthClientExtAccessAccepts OBJECT-TYPE 645 SYNTAX Counter32 646 UNITS "packets" 647 MAX-ACCESS read-only 648 STATUS current 649 DESCRIPTION 650 "The number of RADIUS Access-Accept packets 651 (valid or invalid) received from this server. 652 This counter may experience a discontinuity when 653 the RADIUS Client module within the managed entity 654 is reinitialized, as indicated by the current value 655 of radiusAuthClientCounterDiscontinuity." 656 REFERENCE "RFC 2865 section 4.2" 657 ::= { radiusAuthServerExtEntry 8 } 659 radiusAuthClientExtAccessRejects OBJECT-TYPE 660 SYNTAX Counter32 661 UNITS "packets" 662 MAX-ACCESS read-only 663 STATUS current 664 DESCRIPTION 665 "The number of RADIUS Access-Reject packets 666 (valid or invalid) received from this server. 667 This counter may experience a discontinuity when 668 the RADIUS Client module within the managed 669 entity is reinitialized, as indicated by the 670 current value of 671 radiusAuthClientCounterDiscontinuity." 672 REFERENCE "RFC 2865 section 4.3" 673 ::= { radiusAuthServerExtEntry 9 } 675 radiusAuthClientExtAccessChallenges OBJECT-TYPE 676 SYNTAX Counter32 677 UNITS "packets" 678 MAX-ACCESS read-only 679 STATUS current 680 DESCRIPTION 681 "The number of RADIUS Access-Challenge packets 682 (valid or invalid) received from this server. 683 This counter may experience a discontinuity when 684 the RADIUS Client module within the managed 685 entity is reinitialized, as indicated by the 686 current value of 687 radiusAuthClientCounterDiscontinuity." 689 REFERENCE "RFC 2865 section 4.4" 690 ::= { radiusAuthServerExtEntry 10 } 692 -- "Access-Response" includes an Access-Accept, Access-Challenge 693 -- or Access-Reject 695 radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE 696 SYNTAX Counter32 697 UNITS "packets" 698 MAX-ACCESS read-only 699 STATUS current 700 DESCRIPTION 701 "The number of malformed RADIUS Access-Response 702 packets received from this server. 703 Malformed packets include packets with 704 an invalid length. Bad authenticators or 705 Message Authenticator attributes or unknown types 706 are not included as malformed access responses. 707 This counter may experience a discontinuity when 708 the RADIUS Client module within the managed entity 709 is reinitialized, as indicated by the current value 710 of radiusAuthClientCounterDiscontinuity." 711 REFERENCE "RFC 2865 sections 3, 4" 712 ::= { radiusAuthServerExtEntry 11 } 714 radiusAuthClientExtBadAuthenticators OBJECT-TYPE 715 SYNTAX Counter32 716 UNITS "packets" 717 MAX-ACCESS read-only 718 STATUS current 719 DESCRIPTION 720 "The number of RADIUS Access-Response packets 721 containing invalid authenticators or Message 722 Authenticator attributes received from this server. 723 This counter may experience a discontinuity when 724 the RADIUS Client module within the managed entity 725 is reinitialized, as indicated by the current value 726 of radiusAuthClientCounterDiscontinuity." 727 REFERENCE "RFC 2865 section 3" 728 ::= { radiusAuthServerExtEntry 12 } 730 radiusAuthClientExtPendingRequests OBJECT-TYPE 731 SYNTAX Gauge32 732 UNITS "packets" 733 MAX-ACCESS read-only 734 STATUS current 735 DESCRIPTION 736 "The number of RADIUS Access-Request packets 737 destined for this server that have not yet timed out 738 or received a response. This variable is incremented 739 when an Access-Request is sent and decremented due to 740 receipt of an Access-Accept, Access-Reject or 741 Access-Challenge, a timeout or retransmission." 742 REFERENCE "RFC 2865 section 2" 743 ::= { radiusAuthServerExtEntry 13 } 745 radiusAuthClientExtTimeouts OBJECT-TYPE 746 SYNTAX Counter32 747 UNITS "timeouts" 748 MAX-ACCESS read-only 749 STATUS current 750 DESCRIPTION 751 "The number of authentication timeouts to this server. 752 After a timeout the client may retry to the same 753 server, send to a different server, or 754 give up. A retry to the same server is counted as a 755 retransmit as well as a timeout. A send to a different 756 server is counted as a Request as well as a timeout. 757 This counter may experience a discontinuity when the 758 RADIUS Client module within the managed entity is 759 reinitialized, as indicated by the current value of 760 radiusAuthClientCounterDiscontinuity." 761 REFERENCE "RFC 2865 sections 2.5, 4.1" 762 ::= { radiusAuthServerExtEntry 14 } 764 radiusAuthClientExtUnknownTypes OBJECT-TYPE 765 SYNTAX Counter32 766 UNITS "packets" 767 MAX-ACCESS read-only 768 STATUS current 769 DESCRIPTION 770 "The number of RADIUS packets of unknown type which 771 were received from this server on the authentication 772 port. This counter may experience a discontinuity 773 when the RADIUS Client module within the managed 774 entity is reinitialized, as indicated by the current 775 value of radiusAuthClientCounterDiscontinuity." 776 REFERENCE "RFC 2865 section 4" 777 ::= { radiusAuthServerExtEntry 15 } 779 radiusAuthClientExtPacketsDropped OBJECT-TYPE 780 SYNTAX Counter32 781 UNITS "packets" 782 MAX-ACCESS read-only 783 STATUS current 784 DESCRIPTION 785 "The number of RADIUS packets of which were 786 received from this server on the authentication port 787 and dropped for some other reason. This counter may 788 experience a discontinuity when the RADIUS Client 789 module within the managed entity is reinitialized, 790 as indicated by the current value of 791 radiusAuthClientCounterDiscontinuity." 792 ::= { radiusAuthServerExtEntry 16 } 794 radiusAuthClientCounterDiscontinuity OBJECT-TYPE 795 SYNTAX TimeTicks 796 UNITS "centiseconds" 797 MAX-ACCESS read-only 798 STATUS current 799 DESCRIPTION 800 "The number of centiseconds since the last discontinuity 801 in the RADIUS Client counters. A discontinuity may 802 be the result of a reinitialization of the RADIUS 803 Client module within the managed entity." 804 ::= { radiusAuthServerExtEntry 17 } 806 -- conformance information 808 radiusAuthClientMIBConformance OBJECT IDENTIFIER 809 ::= { radiusAuthClientMIB 2 } 811 radiusAuthClientMIBCompliances OBJECT IDENTIFIER 812 ::= { radiusAuthClientMIBConformance 1 } 814 radiusAuthClientMIBGroups OBJECT IDENTIFIER 815 ::= { radiusAuthClientMIBConformance 2 } 817 -- compliance statements 819 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 820 STATUS deprecated 821 DESCRIPTION 822 "The compliance statement for authentication clients 823 implementing the RADIUS Authentication Client MIB. 824 Implementation of this module is for IPv4-only 825 entities, or for backwards compatibility use with 826 entities that support both IPv4 and IPv6." 827 MODULE -- this module 828 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 830 ::= { radiusAuthClientMIBCompliances 1 } 832 radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE 833 STATUS current 834 DESCRIPTION 835 "The compliance statement for authentication 836 clients implementing the RADIUS Authentication 837 Client IPv6 Extensions MIB. Implementation of 838 this module is for entities that support IPv6, 839 or support IPv4 and IPv6." 840 MODULE -- this module 841 MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } 843 OBJECT radiusAuthServerInetAddressType 844 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 845 DESCRIPTION 846 "An implementation is only required to support 847 IPv4 and globally unique IPv6 addresses." 849 OBJECT radiusAuthServerInetAddress 850 SYNTAX InetAddress ( SIZE (4|16) ) 851 DESCRIPTION 852 "An implementation is only required to support 853 IPv4 and globally unique IPv6 addresses." 854 ::= { radiusAuthClientMIBCompliances 2 } 856 -- units of conformance 858 radiusAuthClientMIBGroup OBJECT-GROUP 859 OBJECTS { radiusAuthClientIdentifier, 860 radiusAuthClientInvalidServerAddresses, 861 radiusAuthServerAddress, 862 radiusAuthClientServerPortNumber, 863 radiusAuthClientRoundTripTime, 864 radiusAuthClientAccessRequests, 865 radiusAuthClientAccessRetransmissions, 866 radiusAuthClientAccessAccepts, 867 radiusAuthClientAccessRejects, 868 radiusAuthClientAccessChallenges, 869 radiusAuthClientMalformedAccessResponses, 870 radiusAuthClientBadAuthenticators, 871 radiusAuthClientPendingRequests, 872 radiusAuthClientTimeouts, 873 radiusAuthClientUnknownTypes, 874 radiusAuthClientPacketsDropped 875 } 876 STATUS deprecated 877 DESCRIPTION 878 "The basic collection of objects providing management of 879 RADIUS Authentication Clients." 880 ::= { radiusAuthClientMIBGroups 1 } 882 radiusAuthClientExtMIBGroup OBJECT-GROUP 883 OBJECTS { radiusAuthClientIdentifier, 884 radiusAuthClientInvalidServerAddresses, 885 radiusAuthServerInetAddressType, 886 radiusAuthServerInetAddress, 887 radiusAuthClientServerInetPortNumber, 888 radiusAuthClientExtRoundTripTime, 889 radiusAuthClientExtAccessRequests, 890 radiusAuthClientExtAccessRetransmissions, 891 radiusAuthClientExtAccessAccepts, 892 radiusAuthClientExtAccessRejects, 893 radiusAuthClientExtAccessChallenges, 894 radiusAuthClientExtMalformedAccessResponses, 895 radiusAuthClientExtBadAuthenticators, 896 radiusAuthClientExtPendingRequests, 897 radiusAuthClientExtTimeouts, 898 radiusAuthClientExtUnknownTypes, 899 radiusAuthClientExtPacketsDropped, 900 radiusAuthClientCounterDiscontinuity 901 } 902 STATUS current 903 DESCRIPTION 904 "The collection of extended objects providing 905 management of RADIUS Authentication Clients 906 using version neutral IP address format." 907 ::= { radiusAuthClientMIBGroups 2 } 909 END 911 8. IANA Considerations 913 This document requires no new IANA assignments. 915 9. Security Considerations 917 There are no management objects defined in this MIB that have a MAX- 918 ACCESS clause of read-write and/or read-create. So, if this MIB is 919 implemented correctly, then there is no risk that an intruder can 920 alter or create any management objects of this MIB via direct SNMP 921 SET operations. 923 Some of the readable objects in this MIB module (i.e., objects with a 924 MAX-ACCESS other than not-accessible) may be considered sensitive or 925 vulnerable in some network environments. It is thus important to 926 control even GET and/or NOTIFY access to these objects and possibly 927 to even encrypt the values of these objects when sending them over 928 the network via SNMP. These are the tables and objects and their 929 sensitivity/vulnerability: 931 radiusAuthServerIPAddress This can be used to determine the address 932 of the RADIUS authentication server with which the client is 933 communicating. This information could be useful in mounting an 934 attack on the authentication server. 936 radiusAuthClientServerPortNumber This can be used to determine the 937 port number on which the RADIUS authentication client is sending. 938 This information could be useful in impersonating the client in 939 order to send data to the authentication server. 941 radiusAuthServerInetAddress This can be used to determine the address 942 of the RADIUS authentication server with which the client is 943 communicating. This information could be useful in mounting an 944 attack on the authentication server. 946 radiusAuthClientServerInetPortNumber This can be used to determine 947 the port number on which the RADIUS authentication client is 948 sending. This information could be useful in impersonating the 949 client in order to send data to the authentication server. 951 SNMP versions prior to SNMPv3 did not include adequate security. 952 Even if the network itself is secure (for example by using IPsec), 953 even then, there is no control as to who on the secure network is 954 allowed to access and GET/SET (read/change/create/delete) the objects 955 in this MIB module. 957 It is RECOMMENDED that implementers consider the security features as 958 provided by the SNMPv3 framework (see [RFC3410], section 8), 959 including full support for the SNMPv3 cryptographic mechanisms (for 960 authentication and privacy). 962 Further, deployment of SNMP versions prior to SNMPv3 is NOT 963 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 964 enable cryptographic security. It is then a customer/operator 965 responsibility to ensure that the SNMP entity giving access to an 966 instance of this MIB module is properly configured to give access to 967 the objects only to those principals (users) that have legitimate 968 rights to indeed GET or SET (change/create/delete) them. 970 10. References 971 10.1. Normative References 973 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 974 Requirement Levels", BCP 14, RFC 2119, March 1997. 976 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 977 Schoenwaelder, Ed., "Structure of Management Information 978 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 980 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 981 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 982 STD 58, RFC 2579, April 1999. 984 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 985 "Conformance Statements for SMIv2", STD 58, RFC 2580, 986 April 1999. 988 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 989 "Remote Authentication Dial In User Service (RADIUS)", 990 RFC 2865, June 2000. 992 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 993 Schoenwaelder, "Textual Conventions for Internet Network 994 Addresses", RFC 4001, February 2005. 996 10.2. Informative References 998 [2619bis] Nelson, D., "RADIUS Authentication Server MIB for IPv6", 999 draft-ietf-radext-rfc2619bis-04.txt (work in progress), 1000 June 2006. 1002 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 1003 RFC 2618, June 1999. 1005 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1006 "Introduction and Applicability Statements for Internet- 1007 Standard Management Framework", RFC 3410, December 2002. 1009 Appendix A. Acknowledgments 1011 The authors of the original MIB are Bernard Aboba and Glen Zorn. 1013 Many thanks to all reviewers, especially to Dave Harrington, Dan 1014 Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. 1016 Author's Address 1018 David B. Nelson 1019 Enterasys Networks 1020 50 Minuteman Road 1021 Andover, MA 01810 1022 USA 1024 Email: dnelson@enterasys.com 1026 Intellectual Property Statement 1028 The IETF takes no position regarding the validity or scope of any 1029 Intellectual Property Rights or other rights that might be claimed to 1030 pertain to the implementation or use of the technology described in 1031 this document or the extent to which any license under such rights 1032 might or might not be available; nor does it represent that it has 1033 made any independent effort to identify any such rights. Information 1034 on the procedures with respect to rights in RFC documents can be 1035 found in BCP 78 and BCP 79. 1037 Copies of IPR disclosures made to the IETF Secretariat and any 1038 assurances of licenses to be made available, or the result of an 1039 attempt made to obtain a general license or permission for the use of 1040 such proprietary rights by implementers or users of this 1041 specification can be obtained from the IETF on-line IPR repository at 1042 http://www.ietf.org/ipr. 1044 The IETF invites any interested party to bring to its attention any 1045 copyrights, patents or patent applications, or other proprietary 1046 rights that may cover technology that may be required to implement 1047 this standard. Please address the information to the IETF at 1048 ietf-ipr@ietf.org. 1050 Disclaimer of Validity 1052 This document and the information contained herein are provided on an 1053 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1054 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1055 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1056 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1057 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1058 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1060 Copyright Statement 1062 Copyright (C) The Internet Society (2006). This document is subject 1063 to the rights, licenses and restrictions contained in BCP 78, and 1064 except as set forth therein, the authors retain all their rights. 1066 Acknowledgment 1068 Funding for the RFC Editor function is currently provided by the 1069 Internet Society.