idnits 2.17.1 draft-ietf-radext-rfc2619bis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1123. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1100. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1107. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1113. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 26, 2006) is 6506 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2619 (if approved) June 26, 2006 5 Expires: December 28, 2006 7 RADIUS Authentication Server MIB for IPv6 8 draft-ietf-radext-rfc2619bis-04.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on December 28, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions, which instrument RADIUS 42 authentication server functions. These extensions represent a 43 portion of the Management Information Base (MIB) for use with network 44 management protocols in the Internet community. Using these 45 extensions IP-based management stations can manage RADIUS 46 authentication servers. 48 This memo obsoletes RFC 2619 by deprecating the MIB table containing 49 IPv4-only address formats and defining a new table to add support for 50 version neutral IP address formats. The remaining MIB objects from 51 RFC 2619 are carried forward into this document. This memo also adds 52 UNITS and Reference clauses to selected objects. 54 Table of Contents 56 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The Internet-Standard Management Framework . . . . . . . . . . 3 59 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 64 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 65 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 66 10.1. Normative References . . . . . . . . . . . . . . . . . . 23 67 10.2. Informative References . . . . . . . . . . . . . . . . . 23 68 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 24 69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 70 Intellectual Property and Copyright Statements . . . . . . . . . . 26 72 1. Terminology 74 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 75 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 76 document are to be interpreted as described in RFC 2119 [RFC2119]. 78 This document uses terminology from RFC 2865 [RFC2865]. 80 This document uses the word "malformed" with respect to RADIUS 81 packets, particularly in the context of counters of "malformed 82 packets". While RFC 2865 does not provide an explicit definition of 83 "malformed", malformed generally means that the implementation has 84 determined the packet does not match the format defined in RFC 2865. 85 Some implementations may determine that packets are malformed when 86 the Vendor Specific Attribute (VSA) format does not follow the RFC 87 2865 recommendations for VSAs. Those implementations are used in 88 deployments today, and thus set the de-facto definition of 89 "malformed". 91 2. Introduction 93 This memo defines a portion of the Management Information Base (MIB) 94 for use with network management protocols in the Internet community. 95 The objects defined within this memo relate to the Remote 96 Authentication Dial-In User Service (RADIUS) Authentication Server as 97 defined in RFC 2865 [RFC2865]. 99 3. The Internet-Standard Management Framework 101 For a detailed overview of the documents that describe the current 102 Internet-Standard Management Framework, please refer to section 7 of 103 RFC 3410 [RFC3410]. 105 Managed objects are accessed via a virtual information store, termed 106 the Management Information Base or MIB. MIB objects are generally 107 accessed through the Simple Network Management Protocol (SNMP). 108 Objects in the MIB are defined using the mechanisms defined in the 109 Structure of Management Information (SMI). This memo specifies a MIB 110 module that is compliant to the SMIv2, which is described in STD 58, 111 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 112 [RFC2580]. 114 4. Scope of Changes 116 This document obsoletes RFC 2619 [RFC2619], RADIUS Authentication 117 Server MIB, by deprecating the radiusAuthClientTable table and adding 118 a new table, radiusAuthClientExtTable, containing 119 radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The 120 purpose of these added MIB objects is to support version neutral IP 121 addressing formats. The existing table containing 122 radiusAuthClientAddress is deprecated. The remaining MIB objects 123 from RFC 2619 are carried forward into this document. This memo also 124 adds UNITS and REFERENCE clauses to selected objects. 126 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 127 version neutral IP addresses, contains the following recommendation. 129 'In particular, when revising a MIB module that contains IPv4 130 specific tables, it is suggested to define new tables using the 131 textual conventions defined in this memo [RFC4001] that support all 132 versions of IP. The status of the new tables SHOULD be "current", 133 whereas the status of the old IP version specific tables SHOULD be 134 changed to "deprecated". The other approach, of having multiple 135 similar tables for different IP versions, is strongly discouraged.' 137 5. Structure of the MIB Module 139 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 140 distinguishes between the client function and the server function. 141 In RADIUS authentication, clients send Access-Requests, and servers 142 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 143 Typically NAS devices implement the client function, and thus would 144 be expected to implement the RADIUS authentication client MIB, while 145 RADIUS authentication servers implement the server function, and thus 146 would be expected to implement the RADIUS authentication server MIB. 148 However, it is possible for a RADIUS authentication entity to perform 149 both client and server functions. For example, a RADIUS proxy may 150 act as a server to one or more RADIUS authentication clients, while 151 simultaneously acting as an authentication client to one or more 152 authentication servers. In such situations, it is expected that 153 RADIUS entities combining client and server functionality will 154 support both the client and server MIBs. The server MIB is defined 155 in this document, and the client MIB is defined in [2618bis]. 157 RFC Editor: Replace the above I-D reference with the assigned RFC 158 number at the time of publication and delete this note. 160 This MIB module contains fourteen scalars as well as a single table, 161 the RADIUS Authentication Client Table, which contains one row for 162 each RADIUS authentication client with which the server shares a 163 secret. Each entry in the RADIUS Authentication Client Table 164 includes thirteen columns presenting a view of the activity of the 165 RADIUS authentication server. 167 6. Deprecated Objects 169 The deprecated table in this MIB is carried forward from RFC 2619 170 [RFC2619]. There are two conditions under which it MAY be desirable 171 for managed entities to continue to support the deprecated table: 173 1. The managed entity only supports IPv4 address formats. 174 2. The managed entity supports both IPv4 and IPv6 address formats, 175 and the deprecated table is supported for backwards compatibility 176 with older management stations. This option SHOULD only be used 177 when the IP addresses in the new table are in IPv4 format and can 178 accurately be represented in both the new table and the 179 deprecated table. 181 Managed entities SHOULD NOT instantiate row entries in the deprecated 182 table, containing IPv4-only address objects, when the RADIUS client 183 address represented in such a table row is not an IPv4 address. 184 Managed entities SHOULD NOT return inaccurate values of IP address or 185 SNMP object access errors for IPv4-only address objects in otherwise 186 populated tables. When row entries exist in both the deprecated 187 IPv4-only table and the new IP version neutral table that describe 188 the same RADIUS client, the row indexes SHOULD be the same for the 189 corresponding rows in each table, to facilitate correlation of these 190 related rows by management applications. 192 7. Definitions 194 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 196 IMPORTS 197 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 198 Counter32, Integer32, 199 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 200 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 201 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 202 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 204 radiusAuthServMIB MODULE-IDENTITY 205 LAST-UPDATED "200605100000Z" -- 10 May 2006 206 ORGANIZATION "IETF RADIUS Extensions Working Group." 207 CONTACT-INFO 208 " Bernard Aboba 209 Microsoft 210 One Microsoft Way 211 Redmond, WA 98052 212 US 213 Phone: +1 425 936 6605 214 EMail: bernarda@microsoft.com" 215 DESCRIPTION 216 "The MIB module for entities implementing the server 217 side of the Remote Authentication Dial-In User 218 Service (RADIUS) authentication protocol. Copyright 219 (C) The Internet Society (2006). This version of this 220 MIB module is part of RFC xxxx; see the RFC itself for 221 full legal notices." 223 -- RFC Editor: replace xxxx with actual RFC number at the time of 224 -- publication, and remove this note. 226 REVISION "200605100000Z" -- 10 May 2006 227 DESCRIPTION 228 "Revised version as published in RFC xxxx. This 229 version obsoletes that of RFC 2619 by deprecating the 230 MIB table containing IPv4-only address formats and 231 defining a new table to add support for version neutral 232 IP address formats. The remaining MIB objects from RFC 233 2619 are carried forward into this version." 235 -- RFC Editor: replace xxxx with actual RFC number at the time of 236 -- publication, and remove this note. 238 REVISION "199906110000Z" -- 11 Jun 1999 239 DESCRIPTION "Initial version as published in RFC 2619." 241 ::= { radiusAuthentication 1 } 243 radiusMIB OBJECT-IDENTITY 244 STATUS current 245 DESCRIPTION 246 "The OID assigned to RADIUS MIB work by the IANA." 247 ::= { mib-2 67 } 249 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 251 radiusAuthServMIBObjects OBJECT IDENTIFIER 252 ::= { radiusAuthServMIB 1 } 254 radiusAuthServ OBJECT IDENTIFIER 255 ::= { radiusAuthServMIBObjects 1 } 257 radiusAuthServIdent OBJECT-TYPE 258 SYNTAX SnmpAdminString 259 MAX-ACCESS read-only 260 STATUS current 261 DESCRIPTION 262 "The implementation identification string for the 263 RADIUS authentication server software in use on the 264 system, for example; `FNS-2.1'" 265 ::= {radiusAuthServ 1} 267 radiusAuthServUpTime OBJECT-TYPE 268 SYNTAX TimeTicks 269 MAX-ACCESS read-only 270 STATUS current 271 DESCRIPTION 272 "If the server has a persistent state (e.g., a 273 process), this value will be the time elapsed (in 274 hundredths of a second) since the server process 275 was started. For software without persistent state, 276 this value will be zero." 277 ::= {radiusAuthServ 2} 279 radiusAuthServResetTime OBJECT-TYPE 280 SYNTAX TimeTicks 281 MAX-ACCESS read-only 282 STATUS current 283 DESCRIPTION 284 "If the server has a persistent state (e.g., a process) 285 and supports a `reset' operation (e.g., can be told to 286 re-read configuration files), this value will be the 287 time elapsed (in hundredths of a second) since the 288 server was `reset.' For software that does not 289 have persistence or does not support a `reset' 290 operation, this value will be zero." 291 ::= {radiusAuthServ 3} 293 radiusAuthServConfigReset OBJECT-TYPE 294 SYNTAX INTEGER { other(1), 295 reset(2), 296 initializing(3), 297 running(4)} 298 MAX-ACCESS read-write 299 STATUS current 300 DESCRIPTION 301 "Status/action object to reinitialize any persistent 302 server state. When set to reset(2), any persistent 303 server state (such as a process) is reinitialized as 304 if the server had just been started. This value will 305 never be returned by a read operation. When read, 306 one of the following values will be returned: 307 other(1) - server in some unknown state; 308 initializing(3) - server (re)initializing; 309 running(4) - server currently running." 310 ::= {radiusAuthServ 4} 312 radiusAuthServTotalAccessRequests OBJECT-TYPE 313 SYNTAX Counter32 314 UNITS "packets" 315 MAX-ACCESS read-only 316 STATUS current 317 DESCRIPTION 318 "The number of packets received on the 319 authentication port." 320 REFERENCE "RFC 2865 section 4.1" 321 ::= { radiusAuthServ 5} 323 radiusAuthServTotalInvalidRequests OBJECT-TYPE 324 SYNTAX Counter32 325 UNITS "packets" 326 MAX-ACCESS read-only 327 STATUS current 328 DESCRIPTION 329 "The number of RADIUS Access-Request packets 330 received from unknown addresses." 331 REFERENCE "RFC 2865 section 4.1" 332 ::= { radiusAuthServ 6 } 334 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 335 SYNTAX Counter32 336 UNITS "packets" 337 MAX-ACCESS read-only 338 STATUS current 339 DESCRIPTION 340 "The number of duplicate RADIUS Access-Request 341 packets received." 342 REFERENCE "RFC 2865 section 4.1" 343 ::= { radiusAuthServ 7 } 345 radiusAuthServTotalAccessAccepts OBJECT-TYPE 346 SYNTAX Counter32 347 UNITS "packets" 348 MAX-ACCESS read-only 349 STATUS current 350 DESCRIPTION 351 "The number of RADIUS Access-Accept packets sent." 352 REFERENCE "RFC 2865 section 4.2" 353 ::= { radiusAuthServ 8 } 355 radiusAuthServTotalAccessRejects OBJECT-TYPE 356 SYNTAX Counter32 357 UNITS "packets" 358 MAX-ACCESS read-only 359 STATUS current 360 DESCRIPTION 361 "The number of RADIUS Access-Reject packets sent." 362 REFERENCE "RFC 2865 section 4.3" 363 ::= { radiusAuthServ 9 } 365 radiusAuthServTotalAccessChallenges OBJECT-TYPE 366 SYNTAX Counter32 367 UNITS "packets" 368 MAX-ACCESS read-only 369 STATUS current 370 DESCRIPTION 371 "The number of RADIUS Access-Challenge packets sent." 372 REFERENCE "RFC 2865 section 4.4" 373 ::= { radiusAuthServ 10 } 375 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 376 SYNTAX Counter32 377 UNITS "packets" 378 MAX-ACCESS read-only 379 STATUS current 380 DESCRIPTION 381 "The number of malformed RADIUS Access-Request 382 packets received. Bad authenticators 383 and unknown types are not included as 384 malformed Access-Requests." 385 REFERENCE "RFC 2865 section 4.1" 386 ::= { radiusAuthServ 11 } 388 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 389 SYNTAX Counter32 390 UNITS "packets" 391 MAX-ACCESS read-only 392 STATUS current 393 DESCRIPTION 394 "The number of RADIUS Authentication-Request packets 395 which contained invalid Message Authenticator 396 attributes received." 397 REFERENCE "RFC 2865 section 3" 398 ::= { radiusAuthServ 12 } 400 radiusAuthServTotalPacketsDropped OBJECT-TYPE 401 SYNTAX Counter32 402 UNITS "packets" 403 MAX-ACCESS read-only 404 STATUS current 405 DESCRIPTION 406 "The number of incoming packets 407 silently discarded for some reason other 408 than malformed, bad authenticators or 409 unknown types." 410 REFERENCE "RFC 2865 section 3" 411 ::= { radiusAuthServ 13 } 413 radiusAuthServTotalUnknownTypes OBJECT-TYPE 414 SYNTAX Counter32 415 UNITS "packets" 416 MAX-ACCESS read-only 417 STATUS current 418 DESCRIPTION 419 "The number of RADIUS packets of unknown type which 420 were received." 421 REFERENCE "RFC 2865 section 4" 422 ::= { radiusAuthServ 14 } 424 radiusAuthClientTable OBJECT-TYPE 425 SYNTAX SEQUENCE OF RadiusAuthClientEntry 426 MAX-ACCESS not-accessible 427 STATUS deprecated 428 DESCRIPTION 429 "The (conceptual) table listing the RADIUS 430 authentication clients with which the server shares 431 a secret." 432 ::= { radiusAuthServ 15 } 434 radiusAuthClientEntry OBJECT-TYPE 435 SYNTAX RadiusAuthClientEntry 436 MAX-ACCESS not-accessible 437 STATUS deprecated 438 DESCRIPTION 439 "An entry (conceptual row) representing a RADIUS 440 authentication client with which the server shares a 441 secret." 442 INDEX { radiusAuthClientIndex } 443 ::= { radiusAuthClientTable 1 } 445 RadiusAuthClientEntry ::= SEQUENCE { 446 radiusAuthClientIndex Integer32, 447 radiusAuthClientAddress IpAddress, 448 radiusAuthClientID SnmpAdminString, 449 radiusAuthServAccessRequests Counter32, 450 radiusAuthServDupAccessRequests Counter32, 451 radiusAuthServAccessAccepts Counter32, 452 radiusAuthServAccessRejects Counter32, 453 radiusAuthServAccessChallenges Counter32, 454 radiusAuthServMalformedAccessRequests Counter32, 455 radiusAuthServBadAuthenticators Counter32, 456 radiusAuthServPacketsDropped Counter32, 457 radiusAuthServUnknownTypes Counter32 458 } 460 radiusAuthClientIndex OBJECT-TYPE 461 SYNTAX Integer32 (1..2147483647) 462 MAX-ACCESS not-accessible 463 STATUS deprecated 464 DESCRIPTION 465 "A number uniquely identifying each RADIUS 466 authentication client with which this server 467 communicates." 468 ::= { radiusAuthClientEntry 1 } 470 radiusAuthClientAddress OBJECT-TYPE 471 SYNTAX IpAddress 472 MAX-ACCESS read-only 473 STATUS deprecated 474 DESCRIPTION 475 "The NAS-IP-Address of the RADIUS authentication client 476 referred to in this table entry." 477 REFERENCE "RFC 2865 section 2" 478 ::= { radiusAuthClientEntry 2 } 480 radiusAuthClientID OBJECT-TYPE 481 SYNTAX SnmpAdminString 482 MAX-ACCESS read-only 483 STATUS deprecated 484 DESCRIPTION 485 "The NAS-Identifier of the RADIUS authentication client 486 referred to in this table entry. This is not 487 necessarily the same as sysName in MIB II." 488 REFERENCE "RFC 2865 section 5.32" 489 ::= { radiusAuthClientEntry 3 } 491 -- Server Counters 493 -- 494 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 495 -- 496 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 497 -- UnknownTypes - PacketsDropped - Responses = Pending 498 -- 499 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 500 -- UnknownTypes - PacketsDropped = entries logged 502 radiusAuthServAccessRequests OBJECT-TYPE 503 SYNTAX Counter32 504 UNITS "packets" 505 MAX-ACCESS read-only 506 STATUS deprecated 507 DESCRIPTION 508 "The number of packets received on the authentication 509 port from this client." 510 REFERENCE "RFC 2865 section 4.1" 511 ::= { radiusAuthClientEntry 4 } 513 radiusAuthServDupAccessRequests OBJECT-TYPE 514 SYNTAX Counter32 515 UNITS "packets" 516 MAX-ACCESS read-only 517 STATUS deprecated 518 DESCRIPTION 519 "The number of duplicate RADIUS Access-Request 520 packets received from this client." 521 REFERENCE "RFC 2865 section 4.1" 522 ::= { radiusAuthClientEntry 5 } 524 radiusAuthServAccessAccepts OBJECT-TYPE 525 SYNTAX Counter32 526 UNITS "packets" 527 MAX-ACCESS read-only 528 STATUS deprecated 529 DESCRIPTION 530 "The number of RADIUS Access-Accept packets 531 sent to this client." 532 REFERENCE "RFC 2865 section 4.2" 533 ::= { radiusAuthClientEntry 6 } 535 radiusAuthServAccessRejects OBJECT-TYPE 536 SYNTAX Counter32 537 UNITS "packets" 538 MAX-ACCESS read-only 539 STATUS deprecated 540 DESCRIPTION 541 "The number of RADIUS Access-Reject packets 542 sent to this client." 543 REFERENCE "RFC 2865 section 4.3" 544 ::= { radiusAuthClientEntry 7 } 546 radiusAuthServAccessChallenges OBJECT-TYPE 547 SYNTAX Counter32 548 UNITS "packets" 549 MAX-ACCESS read-only 550 STATUS deprecated 551 DESCRIPTION 552 "The number of RADIUS Access-Challenge packets 553 sent to this client." 554 REFERENCE "RFC 2865 section 4.4" 555 ::= { radiusAuthClientEntry 8 } 557 radiusAuthServMalformedAccessRequests OBJECT-TYPE 558 SYNTAX Counter32 559 UNITS "packets" 560 MAX-ACCESS read-only 561 STATUS deprecated 562 DESCRIPTION 563 "The number of malformed RADIUS Access-Request 564 packets received from this client. 565 Bad authenticators and unknown types are not included 566 as malformed Access-Requests." 567 REFERENCE "RFC 2865 section 3" 568 ::= { radiusAuthClientEntry 9 } 570 radiusAuthServBadAuthenticators OBJECT-TYPE 571 SYNTAX Counter32 572 UNITS "packets" 573 MAX-ACCESS read-only 574 STATUS deprecated 575 DESCRIPTION 576 "The number of RADIUS Authentication-Request packets 577 which contained invalid Message Authenticator 578 attributes received from this client." 579 REFERENCE "RFC 2865 section 3" 580 ::= { radiusAuthClientEntry 10 } 582 radiusAuthServPacketsDropped OBJECT-TYPE 583 SYNTAX Counter32 584 UNITS "packets" 585 MAX-ACCESS read-only 586 STATUS deprecated 587 DESCRIPTION 588 "The number of incoming packets from this 589 client silently discarded for some reason other 590 than malformed, bad authenticators or 591 unknown types." 592 REFERENCE "RFC 2865 section 3" 593 ::= { radiusAuthClientEntry 11 } 595 radiusAuthServUnknownTypes OBJECT-TYPE 596 SYNTAX Counter32 597 UNITS "packets" 598 MAX-ACCESS read-only 599 STATUS deprecated 600 DESCRIPTION 601 "The number of RADIUS packets of unknown type which 602 were received from this client." 603 REFERENCE "RFC 2865 section 4" 604 ::= { radiusAuthClientEntry 12 } 606 -- New MIB objects added in this revision 608 radiusAuthClientExtTable OBJECT-TYPE 609 SYNTAX SEQUENCE OF RadiusAuthClientExtEntry 610 MAX-ACCESS not-accessible 611 STATUS current 612 DESCRIPTION 613 "The (conceptual) table listing the RADIUS 614 authentication clients with which the server shares 615 a secret." 616 ::= { radiusAuthServ 16 } 618 radiusAuthClientExtEntry OBJECT-TYPE 619 SYNTAX RadiusAuthClientExtEntry 620 MAX-ACCESS not-accessible 621 STATUS current 622 DESCRIPTION 623 "An entry (conceptual row) representing a RADIUS 624 authentication client with which the server shares a 625 secret." 626 INDEX { radiusAuthClientExtIndex } 627 ::= { radiusAuthClientExtTable 1 } 629 RadiusAuthClientExtEntry ::= SEQUENCE { 630 radiusAuthClientExtIndex Integer32, 631 radiusAuthClientInetAddressType InetAddressType, 632 radiusAuthClientInetAddress InetAddress, 633 radiusAuthClientExtID SnmpAdminString, 634 radiusAuthServExtAccessRequests Counter32, 635 radiusAuthServExtDupAccessRequests Counter32, 636 radiusAuthServExtAccessAccepts Counter32, 637 radiusAuthServExtAccessRejects Counter32, 638 radiusAuthServExtAccessChallenges Counter32, 639 radiusAuthServExtMalformedAccessRequests Counter32, 640 radiusAuthServExtBadAuthenticators Counter32, 641 radiusAuthServExtPacketsDropped Counter32, 642 radiusAuthServExtUnknownTypes Counter32, 643 radiusAuthServCounterDiscontinuity TimeTicks 644 } 646 radiusAuthClientExtIndex OBJECT-TYPE 647 SYNTAX Integer32 (1..2147483647) 648 MAX-ACCESS not-accessible 649 STATUS current 650 DESCRIPTION 651 "A number uniquely identifying each RADIUS 652 authentication client with which this server 653 communicates." 654 ::= { radiusAuthClientExtEntry 1 } 656 radiusAuthClientInetAddressType OBJECT-TYPE 657 SYNTAX InetAddressType 658 MAX-ACCESS read-only 659 STATUS current 660 DESCRIPTION 661 "The type of address format used for the 662 radiusAuthClientInetAddress object." 663 ::= { radiusAuthClientExtEntry 2 } 665 radiusAuthClientInetAddress OBJECT-TYPE 666 SYNTAX InetAddress 667 MAX-ACCESS read-only 668 STATUS current 669 DESCRIPTION 670 "The IP address of the RADIUS authentication 671 client referred to in this table entry, using 672 the version neutral IP address format." 673 ::= { radiusAuthClientExtEntry 3 } 675 radiusAuthClientExtID OBJECT-TYPE 676 SYNTAX SnmpAdminString 677 MAX-ACCESS read-only 678 STATUS current 679 DESCRIPTION 680 "The NAS-Identifier of the RADIUS authentication client 681 referred to in this table entry. This is not 682 necessarily the same as sysName in MIB II." 683 REFERENCE "RFC 2865 section 5.32" 684 ::= { radiusAuthClientExtEntry 4 } 686 -- Server Counters 688 -- 689 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 690 -- 691 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 692 -- UnknownTypes - PacketsDropped - Responses = Pending 693 -- 694 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 695 -- UnknownTypes - PacketsDropped = entries logged 697 radiusAuthServExtAccessRequests OBJECT-TYPE 698 SYNTAX Counter32 699 UNITS "packets" 700 MAX-ACCESS read-only 701 STATUS current 702 DESCRIPTION 703 "The number of packets received on the authentication 704 port from this client. This counter may experience a 705 discontinuity when the RADIUS Server module within the 706 managed entity is reinitialized, as indicated by the 707 current value of radiusAuthServCounterDiscontinuity." 708 REFERENCE "RFC 2865 section 4.1" 709 ::= { radiusAuthClientExtEntry 5 } 711 radiusAuthServExtDupAccessRequests OBJECT-TYPE 712 SYNTAX Counter32 713 UNITS "packets" 714 MAX-ACCESS read-only 715 STATUS current 716 DESCRIPTION 717 "The number of duplicate RADIUS Access-Request 718 packets received from this client. This counter may 719 experience a discontinuity when the RADIUS Server 720 module within the managed entity is reinitialized, as 721 indicated by the current value of 722 radiusAuthServCounterDiscontinuity." 723 REFERENCE "RFC 2865 section 4.1" 724 ::= { radiusAuthClientExtEntry 6 } 726 radiusAuthServExtAccessAccepts OBJECT-TYPE 727 SYNTAX Counter32 728 UNITS "packets" 729 MAX-ACCESS read-only 730 STATUS current 731 DESCRIPTION 732 "The number of RADIUS Access-Accept packets 733 sent to this client. This counter may experience a 734 discontinuity when the RADIUS Server module within the 735 managed entity is reinitialized, as indicated by the 736 current value of radiusAuthServCounterDiscontinuity." 738 REFERENCE "RFC 2865 section 4.2" 739 ::= { radiusAuthClientExtEntry 7 } 741 radiusAuthServExtAccessRejects OBJECT-TYPE 742 SYNTAX Counter32 743 UNITS "packets" 744 MAX-ACCESS read-only 745 STATUS current 746 DESCRIPTION 747 "The number of RADIUS Access-Reject packets 748 sent to this client. This counter may experience a 749 discontinuity when the RADIUS Server module within the 750 managed entity is reinitialized, as indicated by the 751 current value of radiusAuthServCounterDiscontinuity." 752 REFERENCE "RFC 2865 section 4.3" 753 ::= { radiusAuthClientExtEntry 8 } 755 radiusAuthServExtAccessChallenges OBJECT-TYPE 756 SYNTAX Counter32 757 UNITS "packets" 758 MAX-ACCESS read-only 759 STATUS current 760 DESCRIPTION 761 "The number of RADIUS Access-Challenge packets 762 sent to this client. This counter may experience a 763 discontinuity when the RADIUS Server module within the 764 managed entity is reinitialized, as indicated by the 765 current value of radiusAuthServCounterDiscontinuity." 766 REFERENCE "RFC 2865 section 4.4" 767 ::= { radiusAuthClientExtEntry 9 } 769 radiusAuthServExtMalformedAccessRequests OBJECT-TYPE 770 SYNTAX Counter32 771 UNITS "packets" 772 MAX-ACCESS read-only 773 STATUS current 774 DESCRIPTION 775 "The number of malformed RADIUS Access-Request 776 packets received from this client. Bad authenticators 777 and unknown types are not included as malformed 778 Access-Requests. This counter may experience a 779 discontinuity when the RADIUS Server module within the 780 managed entity is reinitialized, as indicated by the 781 current value of radiusAuthServCounterDiscontinuity." 782 REFERENCE "RFC 2865 sections 3, 4.1" 783 ::= { radiusAuthClientExtEntry 10 } 785 radiusAuthServExtBadAuthenticators OBJECT-TYPE 786 SYNTAX Counter32 787 UNITS "packets" 788 MAX-ACCESS read-only 789 STATUS current 790 DESCRIPTION 791 "The number of RADIUS Authentication-Request packets 792 which contained invalid Message Authenticator 793 attributes received from this client. This counter 794 may experience a discontinuity when the RADIUS Server 795 module within the managed entity is reinitialized, as 796 indicated by the current value of 797 radiusAuthServCounterDiscontinuity." 798 REFERENCE "RFC 2865 section 3" 799 ::= { radiusAuthClientExtEntry 11 } 801 radiusAuthServExtPacketsDropped OBJECT-TYPE 802 SYNTAX Counter32 803 UNITS "packets" 804 MAX-ACCESS read-only 805 STATUS current 806 DESCRIPTION 807 "The number of incoming packets from this client 808 silently discarded for some reason other than 809 malformed, bad authenticators or unknown types. 810 This counter may experience a discontinuity when the 811 RADIUS Server module within the managed entity is 812 reinitialized, as indicated by the current value of 813 radiusAuthServCounterDiscontinuity." 814 REFERENCE "RFC 2865 section 3" 815 ::= { radiusAuthClientExtEntry 12 } 817 radiusAuthServExtUnknownTypes OBJECT-TYPE 818 SYNTAX Counter32 819 UNITS "packets" 820 MAX-ACCESS read-only 821 STATUS current 822 DESCRIPTION 823 "The number of RADIUS packets of unknown type which 824 were received from this client. This counter may 825 experience a discontinuity when the RADIUS Server 826 module within the managed entity is reinitialized, as 827 indicated by the current value of 828 radiusAuthServCounterDiscontinuity." 829 REFERENCE "RFC 2865 section 4" 830 ::= { radiusAuthClientExtEntry 13 } 832 radiusAuthServCounterDiscontinuity OBJECT-TYPE 833 SYNTAX TimeTicks 834 UNITS "centiseconds" 835 MAX-ACCESS read-only 836 STATUS current 837 DESCRIPTION 838 "The number of centiseconds since the last 839 discontinuity in the RADIUS Server counters. 840 A discontinuity may be the result of a 841 reinitialization of the RADIUS Server module 842 within the managed entity." 843 ::= { radiusAuthClientExtEntry 14 } 845 -- conformance information 847 radiusAuthServMIBConformance OBJECT IDENTIFIER 848 ::= { radiusAuthServMIB 2 } 850 radiusAuthServMIBCompliances OBJECT IDENTIFIER 851 ::= { radiusAuthServMIBConformance 1 } 853 radiusAuthServMIBGroups OBJECT IDENTIFIER 854 ::= { radiusAuthServMIBConformance 2 } 856 -- compliance statements 858 radiusAuthServMIBCompliance MODULE-COMPLIANCE 859 STATUS deprecated 860 DESCRIPTION 861 "The compliance statement for authentication 862 servers implementing the RADIUS Authentication 863 Server MIB. Implementation of this module is for 864 IPv4-only entities, or for backwards compatibility 865 use with entities that support both IPv4 and 866 IPv6." 867 MODULE -- this module 868 MANDATORY-GROUPS { radiusAuthServMIBGroup } 870 OBJECT radiusAuthServConfigReset 871 WRITE-SYNTAX INTEGER { reset(2) } 872 DESCRIPTION "The only SETable value is 'reset' (2)." 874 ::= { radiusAuthServMIBCompliances 1 } 876 radiusAuthServMIBExtCompliance MODULE-COMPLIANCE 877 STATUS current 878 DESCRIPTION 879 "The compliance statement for authentication 880 servers implementing the RADIUS Authentication 881 Server IPv6 Extensions MIB. Implementation of 882 this module is for entities that support IPv6, 883 or support IPv4 and IPv6." 884 MODULE -- this module 885 MANDATORY-GROUPS { radiusAuthServExtMIBGroup } 887 OBJECT radiusAuthServConfigReset 888 WRITE-SYNTAX INTEGER { reset(2) } 889 DESCRIPTION "The only SETable value is 'reset' (2)." 891 OBJECT radiusAuthClientInetAddressType 892 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 893 DESCRIPTION 894 "An implementation is only required to support 895 IPv4 and globally unique IPv6 addresses." 897 OBJECT radiusAuthClientInetAddress 898 SYNTAX InetAddress ( SIZE (4|16) ) 899 DESCRIPTION 900 "An implementation is only required to support 901 IPv4 and globally unique IPv6 addresses." 903 ::= { radiusAuthServMIBCompliances 2 } 905 -- units of conformance 907 radiusAuthServMIBGroup OBJECT-GROUP 908 OBJECTS {radiusAuthServIdent, 909 radiusAuthServUpTime, 910 radiusAuthServResetTime, 911 radiusAuthServConfigReset, 912 radiusAuthServTotalAccessRequests, 913 radiusAuthServTotalInvalidRequests, 914 radiusAuthServTotalDupAccessRequests, 915 radiusAuthServTotalAccessAccepts, 916 radiusAuthServTotalAccessRejects, 917 radiusAuthServTotalAccessChallenges, 918 radiusAuthServTotalMalformedAccessRequests, 919 radiusAuthServTotalBadAuthenticators, 920 radiusAuthServTotalPacketsDropped, 921 radiusAuthServTotalUnknownTypes, 922 radiusAuthClientAddress, 923 radiusAuthClientID, 924 radiusAuthServAccessRequests, 925 radiusAuthServDupAccessRequests, 926 radiusAuthServAccessAccepts, 927 radiusAuthServAccessRejects, 928 radiusAuthServAccessChallenges, 929 radiusAuthServMalformedAccessRequests, 930 radiusAuthServBadAuthenticators, 931 radiusAuthServPacketsDropped, 932 radiusAuthServUnknownTypes 933 } 934 STATUS deprecated 935 DESCRIPTION 936 "The collection of objects providing management of 937 a RADIUS Authentication Server." 938 ::= { radiusAuthServMIBGroups 1 } 940 radiusAuthServExtMIBGroup OBJECT-GROUP 941 OBJECTS {radiusAuthServIdent, 942 radiusAuthServUpTime, 943 radiusAuthServResetTime, 944 radiusAuthServConfigReset, 945 radiusAuthServTotalAccessRequests, 946 radiusAuthServTotalInvalidRequests, 947 radiusAuthServTotalDupAccessRequests, 948 radiusAuthServTotalAccessAccepts, 949 radiusAuthServTotalAccessRejects, 950 radiusAuthServTotalAccessChallenges, 951 radiusAuthServTotalMalformedAccessRequests, 952 radiusAuthServTotalBadAuthenticators, 953 radiusAuthServTotalPacketsDropped, 954 radiusAuthServTotalUnknownTypes, 955 radiusAuthClientInetAddressType, 956 radiusAuthClientInetAddress, 957 radiusAuthClientExtID, 958 radiusAuthServExtAccessRequests, 959 radiusAuthServExtDupAccessRequests, 960 radiusAuthServExtAccessAccepts, 961 radiusAuthServExtAccessRejects, 962 radiusAuthServExtAccessChallenges, 963 radiusAuthServExtMalformedAccessRequests, 964 radiusAuthServExtBadAuthenticators, 965 radiusAuthServExtPacketsDropped, 966 radiusAuthServExtUnknownTypes, 967 radiusAuthServCounterDiscontinuity 968 } 969 STATUS current 970 DESCRIPTION 971 "The collection of objects providing management of 972 a RADIUS Authentication Server." 973 ::= { radiusAuthServMIBGroups 2 } 975 END 977 8. IANA Considerations 979 This document requires no new IANA assignments. 981 9. Security Considerations 983 There are a number of management objects defined in this MIB that 984 have a MAX-ACCESS clause of read-write and/or read-create. Such 985 objects may be considered sensitive or vulnerable in some network 986 environments. The support for SET operations in a non-secure 987 environment without proper protection can have a negative effect on 988 network operations. These are: 990 radiusAuthServConfigReset This object can be used to reinitialize the 991 persistent state of any server. When set to reset(2), any 992 persistent server state (such as a process) is reinitialized as if 993 the server had just been started. Depending on the server 994 impelmentation details, this action may ot may not interrupt the 995 processing of pending request in the server. Abuse of this object 996 may lead to a Denial of Service attack on the server. 998 There are a number of managed objects in this MIB that may contain 999 sensitive information. These are: 1001 radiusAuthClientIPAddress This can be used to determine the address 1002 of the RADIUS authentication client with which the server is 1003 communicating. This information could be useful in mounting an 1004 attack on the authentication client. 1005 radiusAuthClientInetAddress This can be used to determine the address 1006 of the RADIUS authentication client with which the server is 1007 communicating. This information could be useful in mounting an 1008 attack on the authentication client. 1010 It is thus important to control even GET access to these objects and 1011 possibly to even encrypt the values of these object when sending them 1012 over the network via SNMP. Not all versions of SNMP provide features 1013 for such a secure environment. 1015 SNMP versions prior to SNMPv3 do not provide a secure environment. 1016 Even if the network itself is secure (for example by using IPsec), 1017 there is no control as to who on the secure network is allowed to 1018 access and GET/SET (read/change/create/delete) the objects in this 1019 MIB. 1021 It is RECOMMENDED that implementers consider the security features as 1022 provided by the SNMPv3 framework (see [RFC3410], section 8), 1023 including full support for the SNMPv3 cryptographic mechanisms (for 1024 authentication and privacy). 1026 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1027 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1028 enable cryptographic security. It is then a customer/operator 1029 responsibility to ensure that the SNMP entity giving access to an 1030 instance of this MIB module is properly configured to give access to 1031 the objects only to those principals (users) that have legitimate 1032 rights to indeed GET or SET (change/create/delete) them 1034 10. References 1036 10.1. Normative References 1038 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1039 Requirement Levels", BCP 14, RFC 2119, March 1997. 1041 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1042 Schoenwaelder, Ed., "Structure of Management Information 1043 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 1045 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1046 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 1047 STD 58, RFC 2579, April 1999. 1049 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 1050 "Conformance Statements for SMIv2", STD 58, RFC 2580, 1051 April 1999. 1053 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1054 "Remote Authentication Dial In User Service (RADIUS)", 1055 RFC 2865, June 2000. 1057 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1058 Schoenwaelder, "Textual Conventions for Internet Network 1059 Addresses", RFC 4001, February 2005. 1061 10.2. Informative References 1063 [2618bis] Nelson, D., "RADIUS Authentication Client MIB for IPv6", 1064 draft-ietf-radext-rfc2618bis-04.txt (work in progress), 1065 June 2006. 1067 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 1068 RFC 2619, June 1999. 1070 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1071 "Introduction and Applicability Statements for Internet- 1072 Standard Management Framework", RFC 3410, December 2002. 1074 Appendix A. Acknowledgments 1076 The authors of the original MIB are Bernard Aboba and Glen Zorn. 1078 Many thanks to all reviewers, especially to David Harrington, Dan 1079 Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. 1081 Author's Address 1083 David B. Nelson 1084 Enterasys Networks 1085 50 Minuteman Road 1086 Andover, MA 01810 1087 USA 1089 Email: dnelson@enterasys.com 1091 Intellectual Property Statement 1093 The IETF takes no position regarding the validity or scope of any 1094 Intellectual Property Rights or other rights that might be claimed to 1095 pertain to the implementation or use of the technology described in 1096 this document or the extent to which any license under such rights 1097 might or might not be available; nor does it represent that it has 1098 made any independent effort to identify any such rights. Information 1099 on the procedures with respect to rights in RFC documents can be 1100 found in BCP 78 and BCP 79. 1102 Copies of IPR disclosures made to the IETF Secretariat and any 1103 assurances of licenses to be made available, or the result of an 1104 attempt made to obtain a general license or permission for the use of 1105 such proprietary rights by implementers or users of this 1106 specification can be obtained from the IETF on-line IPR repository at 1107 http://www.ietf.org/ipr. 1109 The IETF invites any interested party to bring to its attention any 1110 copyrights, patents or patent applications, or other proprietary 1111 rights that may cover technology that may be required to implement 1112 this standard. Please address the information to the IETF at 1113 ietf-ipr@ietf.org. 1115 Disclaimer of Validity 1117 This document and the information contained herein are provided on an 1118 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1119 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1120 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1121 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1122 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1123 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1125 Copyright Statement 1127 Copyright (C) The Internet Society (2006). This document is subject 1128 to the rights, licenses and restrictions contained in BCP 78, and 1129 except as set forth therein, the authors retain all their rights. 1131 Acknowledgment 1133 Funding for the RFC Editor function is currently provided by the 1134 Internet Society.