idnits 2.17.1 draft-ietf-radext-rfc2621bis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1073. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1050. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1057. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1063. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 26, 2006) is 6512 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2865' is defined on line 1016, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2866 -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2621 (if approved) June 26, 2006 5 Expires: December 28, 2006 7 RADIUS Accounting Server MIB for IPv6 8 draft-ietf-radext-rfc2621bis-04.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on December 28, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions, which instrument RADIUS 42 accounting server functions. These extensions represent a portion of 43 the Management Information Base (MIB) for use with network management 44 protocols in the Internet community. Using these extensions IP-based 45 management stations can manage RADIUS accounting servers. 47 This memo obsoletes RFC 2621 by deprecating the MIB table containing 48 IPv4-only address formats and defining a new table to add support for 49 version neutral IP address formats. The remaining MIB objects from 50 RFC 2621 are carried forward into this document. This memo also adds 51 UNITS and REFERENCE clauses to selected objects. 53 Table of Contents 55 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. The Internet-Standard Management Framework . . . . . . . . . . 3 58 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 59 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 60 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 61 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 63 9. Security Considerations . . . . . . . . . . . . . . . . . . . 21 64 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 65 10.1. Normative References . . . . . . . . . . . . . . . . . . 22 66 10.2. Informative References . . . . . . . . . . . . . . . . . 22 67 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 23 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 69 Intellectual Property and Copyright Statements . . . . . . . . . . 25 71 1. Terminology 73 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 74 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 75 document are to be interpreted as described in RFC 2119 [RFC2119]. 77 This document uses terminology from RFC 2866 [RFC2866]. 79 This document uses the word "malformed" with respect to RADIUS 80 packets, particularly in the context of counters of "malformed 81 packets". While RFC 2866 does not provide an explicit definition of 82 "malformed", malformed generally means that the implementation has 83 determined the packet does not match the format defined in RFC 2866. 84 Those implementations are used in deployments today, and thus set the 85 de-facto definition of "malformed". 87 2. Introduction 89 This memo defines a portion of the Management Information Base (MIB) 90 for use with network management protocols in the Internet community. 91 The objects defined within this memo relate to the Remote 92 Authentication Dial-In User Service (RADIUS) Accounting Server as 93 defined in RFC 2866 [RFC2866]. 95 3. The Internet-Standard Management Framework 97 For a detailed overview of the documents that describe the current 98 Internet-Standard Management Framework, please refer to section 7 of 99 RFC 3410 [RFC3410]. 101 Managed objects are accessed via a virtual information store, termed 102 the Management Information Base or MIB. MIB objects are generally 103 accessed through the Simple Network Management Protocol (SNMP). 104 Objects in the MIB are defined using the mechanisms defined in the 105 Structure of Management Information (SMI). This memo specifies a MIB 106 module that is compliant to the SMIv2, which is described in STD 58, 107 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 108 [RFC2580]. 110 4. Scope of Changes 112 This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server 113 MIB, by deprecating the radiusAccClientTable table and adding a new 114 table, radiusAccClientExtTable, containing 115 radiusAccClientInetAddressType and radiusAccClientInetAddress. The 116 purpose of these added MIB objects is to support version neutral IP 117 addressing formats. The existing table containing 118 radiusAccClientAddress is deprecated. The remaining MIB objects from 119 RFC 2621 are carried forward into this document. This memo also adds 120 UNITS and REFERENCE clauses to selected objects. 122 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 123 version neutral IP addresses, contains the following recommendation. 125 'In particular, when revising a MIB module that contains IPv4 126 specific tables, it is suggested to define new tables using the 127 textual conventions defined in this memo [RFC4001] that support all 128 versions of IP. The status of the new tables SHOULD be "current", 129 whereas the status of the old IP version specific tables SHOULD be 130 changed to "deprecated". The other approach, of having multiple 131 similar tables for different IP versions, is strongly discouraged.' 133 5. Structure of the MIB Module 135 The RADIUS accounting protocol, described in RFC 2866 [RFC2866], 136 distinguishes between the client function and the server function. 137 In RADIUS accounting, clients send Accounting-Requests, and servers 138 reply with Accounting-Responses. Typically Network Access Server 139 (NAS) devices implement the client function, and thus would be 140 expected to implement the RADIUS accounting client MIB, while RADIUS 141 accounting servers implement the server function, and thus would be 142 expected to implement the RADIUS accounting server MIB. 144 However, it is possible for a RADIUS accounting entity to perform 145 both client and server functions. For example, a RADIUS proxy may 146 act as a server to one or more RADIUS accounting clients, while 147 simultaneously acting as an accounting client to one or more 148 accounting servers. In such situations, it is expected that RADIUS 149 entities combining client and server functionality will support both 150 the client and server MIBs. The server MIB is defined in this 151 document, and the client MIB is defined in [2620bis]. 153 RFC Editor: Replace the above I-D reference with the assigned RFC 154 number at the time of publication and delete this note. 156 This MIB module contains thirteen scalars as well as a single table, 157 the RADIUS Accounting Client Table, which contains one row for each 158 RADIUS accounting client with which the server shares a secret. Each 159 entry in the RADIUS Accounting Client Table includes twelve columns 160 presenting a view of the activity of the RADIUS accounting server. 162 6. Deprecated Objects 164 The deprecated table in this MIB is carried forward from RFC 2621 165 [RFC2621]. There are two conditions under which it MAY be desirable 166 for managed entities to continue to support the deprecated table: 168 1. The managed entity only supports IPv4 address formats. 169 2. The managed entity supports both IPv4 and IPv6 address formats, 170 and the deprecated table is supported for backwards compatibility 171 with older management stations. This option SHOULD only be used 172 when the IP addresses in the new table are in IPv4 format and can 173 accurately be represented in both the new table and the 174 deprecated table. 176 Managed entities SHOULD NOT instantiate row entries in the deprecated 177 table, containing IPv4-only address objects, when the RADIUS 178 accounting client address represented in such a table row is not an 179 IPv4 address. Managed entities SHOULD NOT return inaccurate values 180 of IP address or SNMP object access errors for IPv4-only address 181 objects in otherwise populated tables. When row entries exist in 182 both the deprecated IPv4-only table and the new IP version neutral 183 table that describe the same RADIUS accounting client, the row 184 indexes SHOULD be the same for the corresponding rows in each table, 185 to facilitate correlation of these related rows by management 186 applications. 188 7. Definitions 190 RADIUS-ACC-SERVER-MIB DEFINITIONS ::= BEGIN 192 IMPORTS 193 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 194 Counter32, Integer32, 195 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 196 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 197 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 198 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 200 radiusAccServMIB MODULE-IDENTITY 201 LAST-UPDATED "200605100000Z" -- 10 May 2006 202 ORGANIZATION "IETF RADIUS Extensions Working Group." 203 CONTACT-INFO 204 " Bernard Aboba 205 Microsoft 206 One Microsoft Way 207 Redmond, WA 98052 208 US 209 Phone: +1 425 936 6605 210 EMail: bernarda@microsoft.com" 211 DESCRIPTION 212 "The MIB module for entities implementing the server 213 side of the Remote Authentication Dial-In User 214 Service (RADIUS) accounting protocol. Copyright (C) 215 The Internet Society (2006). This version of this 216 MIB module is part of RFC xxxx; see the RFC itself 217 forfull legal notices." 219 -- RFC Editor: replace xxxx with actual RFC number at the time of 220 -- publication, and remove this note. 222 REVISION "200605100000Z" -- 10 May 2006 223 DESCRIPTION 224 "Revised version as published in RFC xxxx. This 225 version obsoletes that of RFC 2621 by deprecating 226 the MIB table containing IPv4-only address formats 227 and defining a new table to add support for version 228 neutral IP address formats. The remaining MIB objects 229 from RFC 2621 are carried forward into this version." 231 -- RFC Editor: replace xxxx with actual RFC number at the time of 232 -- publication, and remove this note. 234 REVISION "199906110000Z" -- 11 Jun 1999 235 DESCRIPTION "Initial version as published in RFC 2621." 237 ::= { radiusAccounting 1 } 239 radiusMIB OBJECT-IDENTITY 240 STATUS current 241 DESCRIPTION 242 "The OID assigned to RADIUS MIB work by the IANA." 243 ::= { mib-2 67 } 245 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} 247 radiusAccServMIBObjects OBJECT IDENTIFIER 248 ::= { radiusAccServMIB 1 } 250 radiusAccServ OBJECT IDENTIFIER 251 ::= { radiusAccServMIBObjects 1 } 253 radiusAccServIdent OBJECT-TYPE 254 SYNTAX SnmpAdminString 255 MAX-ACCESS read-only 256 STATUS current 257 DESCRIPTION 258 "The implementation identification string for the 259 RADIUS accounting server software in use on the 260 system, for example; `FNS-2.1'" 261 ::= {radiusAccServ 1} 263 radiusAccServUpTime OBJECT-TYPE 264 SYNTAX TimeTicks 265 MAX-ACCESS read-only 266 STATUS current 267 DESCRIPTION 268 "If the server has a persistent state (e.g., a 269 process), this value will be the time elapsed (in 270 hundredths of a second) since the server process was 271 started. For software without persistent state, this 272 value will be zero." 273 ::= {radiusAccServ 2} 275 radiusAccServResetTime OBJECT-TYPE 276 SYNTAX TimeTicks 277 MAX-ACCESS read-only 278 STATUS current 279 DESCRIPTION 280 "If the server has a persistent state (e.g., a process) 281 and supports a `reset' operation (e.g., can be told to 282 re-read configuration files), this value will be the 283 time elapsed (in hundredths of a second) since the 284 server was `reset.' For software that does not 285 have persistence or does not support a `reset' 286 operation, this value will be zero." 287 ::= {radiusAccServ 3} 289 radiusAccServConfigReset OBJECT-TYPE 290 SYNTAX INTEGER { other(1), 291 reset(2), 292 initializing(3), 293 running(4)} 294 MAX-ACCESS read-write 295 STATUS current 296 DESCRIPTION 297 "Status/action object to reinitialize any persistent 298 server state. When set to reset(2), any persistent 299 server state (such as a process) is reinitialized as 300 if the server had just been started. This value will 301 never be returned by a read operation. When read, 302 one of the following values will be returned: 303 other(1) - server in some unknown state; 304 initializing(3) - server (re)initializing; 305 running(4) - server currently running." 306 ::= {radiusAccServ 4} 308 radiusAccServTotalRequests OBJECT-TYPE 309 SYNTAX Counter32 310 UNITS "packets" 311 MAX-ACCESS read-only 312 STATUS current 313 DESCRIPTION 314 "The number of packets received on the 315 accounting port." 316 REFERENCE "RFC 2866 section 4.1" 317 ::= { radiusAccServ 5 } 319 radiusAccServTotalInvalidRequests OBJECT-TYPE 320 SYNTAX Counter32 321 UNITS "packets" 322 MAX-ACCESS read-only 323 STATUS current 324 DESCRIPTION 325 "The number of RADIUS Accounting-Request packets 326 received from unknown addresses." 327 REFERENCE "RFC 2866 sections 2, 4.1" 328 ::= { radiusAccServ 6 } 330 radiusAccServTotalDupRequests OBJECT-TYPE 331 SYNTAX Counter32 332 UNITS "packets" 333 MAX-ACCESS read-only 334 STATUS current 335 DESCRIPTION 336 "The number of duplicate RADIUS Accounting-Request 337 packets received." 338 REFERENCE "RFC 2866 section 4.1" 339 ::= { radiusAccServ 7 } 341 radiusAccServTotalResponses OBJECT-TYPE 342 SYNTAX Counter32 343 UNITS "packets" 344 MAX-ACCESS read-only 345 STATUS current 346 DESCRIPTION 347 "The number of RADIUS Accounting-Response packets 348 sent." 349 REFERENCE "RFC 2866 section 4.2" 350 ::= { radiusAccServ 8 } 352 radiusAccServTotalMalformedRequests OBJECT-TYPE 353 SYNTAX Counter32 354 UNITS "packets" 355 MAX-ACCESS read-only 356 STATUS current 357 DESCRIPTION 358 "The number of malformed RADIUS Accounting-Request 359 packets received. Bad authenticators or unknown 360 types are not included as malformed Access-Requests." 361 REFERENCE "RFC 2866 section 3" 362 ::= { radiusAccServ 9 } 364 radiusAccServTotalBadAuthenticators OBJECT-TYPE 365 SYNTAX Counter32 366 UNITS "packets" 367 MAX-ACCESS read-only 368 STATUS current 369 DESCRIPTION 370 "The number of RADIUS Accounting-Request packets 371 which contained an invalid authenticator." 372 REFERENCE "RFC 2866 section 3" 373 ::= { radiusAccServ 10 } 375 radiusAccServTotalPacketsDropped OBJECT-TYPE 376 SYNTAX Counter32 377 UNITS "packets" 378 MAX-ACCESS read-only 379 STATUS current 380 DESCRIPTION 381 "The number of incoming packets silently discarded 382 for a reason other than malformed, bad authenticators, 383 or unknown types." 384 REFERENCE "RFC 2866 section 3" 385 ::= { radiusAccServ 11 } 387 radiusAccServTotalNoRecords OBJECT-TYPE 388 SYNTAX Counter32 389 UNITS "packets" 390 MAX-ACCESS read-only 391 STATUS current 392 DESCRIPTION 393 "The number of RADIUS Accounting-Request packets 394 which were received and responded to but not 395 recorded." 396 ::= { radiusAccServ 12 } 398 radiusAccServTotalUnknownTypes OBJECT-TYPE 399 SYNTAX Counter32 400 UNITS "packets" 401 MAX-ACCESS read-only 402 STATUS current 403 DESCRIPTION 404 "The number of RADIUS packets of unknown type which 405 were received." 406 REFERENCE "RFC 2866 section 4" 407 ::= { radiusAccServ 13 } 409 radiusAccClientTable OBJECT-TYPE 410 SYNTAX SEQUENCE OF RadiusAccClientEntry 411 MAX-ACCESS not-accessible 412 STATUS deprecated 413 DESCRIPTION 414 "The (conceptual) table listing the RADIUS accounting 415 clients with which the server shares a secret." 416 ::= { radiusAccServ 14 } 418 radiusAccClientEntry OBJECT-TYPE 419 SYNTAX RadiusAccClientEntry 420 MAX-ACCESS not-accessible 421 STATUS deprecated 422 DESCRIPTION 423 "An entry (conceptual row) representing a RADIUS 424 accounting client with which the server shares a 425 secret." 426 INDEX { radiusAccClientIndex } 427 ::= { radiusAccClientTable 1 } 429 RadiusAccClientEntry ::= SEQUENCE { 430 radiusAccClientIndex Integer32, 431 radiusAccClientAddress IpAddress, 432 radiusAccClientID SnmpAdminString, 433 radiusAccServPacketsDropped Counter32, 434 radiusAccServRequests Counter32, 435 radiusAccServDupRequests Counter32, 436 radiusAccServResponses Counter32, 437 radiusAccServBadAuthenticators Counter32, 438 radiusAccServMalformedRequests Counter32, 439 radiusAccServNoRecords Counter32, 440 radiusAccServUnknownTypes Counter32 441 } 443 radiusAccClientIndex OBJECT-TYPE 444 SYNTAX Integer32 (1..2147483647) 445 MAX-ACCESS not-accessible 446 STATUS deprecated 447 DESCRIPTION 448 "A number uniquely identifying each RADIUS accounting 449 client with which this server communicates." 450 ::= { radiusAccClientEntry 1 } 452 radiusAccClientAddress OBJECT-TYPE 453 SYNTAX IpAddress 454 MAX-ACCESS read-only 455 STATUS deprecated 456 DESCRIPTION 457 "The NAS-IP-Address of the RADIUS accounting client 458 referred to in this table entry." 459 ::= { radiusAccClientEntry 2 } 461 radiusAccClientID OBJECT-TYPE 462 SYNTAX SnmpAdminString 463 MAX-ACCESS read-only 464 STATUS deprecated 465 DESCRIPTION 466 "The NAS-Identifier of the RADIUS accounting client 467 referred to in this table entry. This is not 468 necessarily the same as sysName in MIB II." 469 REFERENCE "RFC 2865 section 5.32" 470 ::= { radiusAccClientEntry 3 } 472 -- Server Counters 473 -- 474 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 475 -- UnknownTypes - PacketsDropped - Responses = Pending 476 -- 477 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 478 -- UnknownTypes - PacketsDropped - NoRecords = entries logged 480 radiusAccServPacketsDropped OBJECT-TYPE 481 SYNTAX Counter32 482 UNITS "packets" 483 MAX-ACCESS read-only 484 STATUS deprecated 485 DESCRIPTION 486 "The number of incoming packets received 487 from this client and silently discarded 488 for a reason other than malformed, bad 489 authenticators, or unknown types." 490 REFERENCE "RFC 2866 section 3" 491 ::= { radiusAccClientEntry 4 } 493 radiusAccServRequests OBJECT-TYPE 494 SYNTAX Counter32 495 UNITS "packets" 496 MAX-ACCESS read-only 497 STATUS deprecated 498 DESCRIPTION 499 "The number of packets received from this 500 client on the accounting port." 501 REFERENCE "RFC 2866 section 4.1" 502 ::= { radiusAccClientEntry 5 } 504 radiusAccServDupRequests OBJECT-TYPE 505 SYNTAX Counter32 506 UNITS "packets" 507 MAX-ACCESS read-only 508 STATUS deprecated 509 DESCRIPTION 510 "The number of duplicate RADIUS Accounting-Request 511 packets received from this client." 512 REFERENCE "RFC 2866 section 4.1" 513 ::= { radiusAccClientEntry 6 } 515 radiusAccServResponses OBJECT-TYPE 516 SYNTAX Counter32 517 UNITS "packets" 518 MAX-ACCESS read-only 519 STATUS deprecated 520 DESCRIPTION 521 "The number of RADIUS Accounting-Response packets 522 sent to this client." 523 REFERENCE "RFC 2866 section 4.2" 524 ::= { radiusAccClientEntry 7 } 526 radiusAccServBadAuthenticators OBJECT-TYPE 527 SYNTAX Counter32 528 UNITS "packets" 529 MAX-ACCESS read-only 530 STATUS deprecated 531 DESCRIPTION 532 "The number of RADIUS Accounting-Request packets 533 which contained invalid authenticators received 534 from this client." 535 REFERENCE "RFC 2866 section 3" 536 ::= { radiusAccClientEntry 8 } 538 radiusAccServMalformedRequests OBJECT-TYPE 539 SYNTAX Counter32 540 UNITS "packets" 541 MAX-ACCESS read-only 542 STATUS deprecated 543 DESCRIPTION 544 "The number of malformed RADIUS Accounting-Request 545 packets which were received from this client. 546 Bad authenticators and unknown types 547 are not included as malformed Accounting-Requests." 548 REFERENCE "RFC 2866 section 3" 549 ::= { radiusAccClientEntry 9 } 551 radiusAccServNoRecords OBJECT-TYPE 552 SYNTAX Counter32 553 UNITS "packets" 554 MAX-ACCESS read-only 555 STATUS deprecated 556 DESCRIPTION 557 "The number of RADIUS Accounting-Request packets 558 which were received and responded to but not 559 recorded." 560 ::= { radiusAccClientEntry 10 } 562 radiusAccServUnknownTypes OBJECT-TYPE 563 SYNTAX Counter32 564 UNITS "packets" 565 MAX-ACCESS read-only 566 STATUS deprecated 567 DESCRIPTION 568 "The number of RADIUS packets of unknown type which 569 were received from this client." 570 REFERENCE "RFC 2866 section 4" 571 ::= { radiusAccClientEntry 11 } 573 -- New MIB objects added in this revision 575 radiusAccClientExtTable OBJECT-TYPE 576 SYNTAX SEQUENCE OF RadiusAccClientExtEntry 577 MAX-ACCESS not-accessible 578 STATUS current 579 DESCRIPTION 580 "The (conceptual) table listing the RADIUS accounting 581 clients with which the server shares a secret." 582 ::= { radiusAccServ 15 } 584 radiusAccClientExtEntry OBJECT-TYPE 585 SYNTAX RadiusAccClientExtEntry 586 MAX-ACCESS not-accessible 587 STATUS current 588 DESCRIPTION 589 "An entry (conceptual row) representing a RADIUS 590 accounting client with which the server shares a 591 secret." 592 INDEX { radiusAccClientExtIndex } 593 ::= { radiusAccClientExtTable 1 } 595 RadiusAccClientExtEntry ::= SEQUENCE { 596 radiusAccClientExtIndex Integer32, 597 radiusAccClientInetAddressType InetAddressType, 598 radiusAccClientInetAddress InetAddress, 599 radiusAccClientExtID SnmpAdminString, 600 radiusAccServExtPacketsDropped Counter32, 601 radiusAccServExtRequests Counter32, 602 radiusAccServExtDupRequests Counter32, 603 radiusAccServExtResponses Counter32, 604 radiusAccServExtBadAuthenticators Counter32, 605 radiusAccServExtMalformedRequests Counter32, 606 radiusAccServExtNoRecords Counter32, 607 radiusAccServExtUnknownTypes Counter32, 608 radiusAccServerCounterDiscontinuity TimeTicks 609 } 611 radiusAccClientExtIndex OBJECT-TYPE 612 SYNTAX Integer32 (1..2147483647) 613 MAX-ACCESS not-accessible 614 STATUS current 615 DESCRIPTION 616 "A number uniquely identifying each RADIUS accounting 617 client with which this server communicates." 618 ::= { radiusAccClientExtEntry 1 } 620 radiusAccClientInetAddressType OBJECT-TYPE 621 SYNTAX InetAddressType 622 MAX-ACCESS read-only 623 STATUS current 624 DESCRIPTION 625 "The type of address format used for the 626 radiusAccClientInetAddress object." 627 ::= { radiusAccClientExtEntry 2 } 629 radiusAccClientInetAddress OBJECT-TYPE 630 SYNTAX InetAddress 631 MAX-ACCESS read-only 632 STATUS current 633 DESCRIPTION 634 "The IP address of the RADIUS accounting 635 client referred to in this table entry, using 636 the IPv6 address format." 637 ::= { radiusAccClientExtEntry 3 } 639 radiusAccClientExtID OBJECT-TYPE 640 SYNTAX SnmpAdminString 641 MAX-ACCESS read-only 642 STATUS current 643 DESCRIPTION 644 "The NAS-Identifier of the RADIUS accounting client 645 referred to in this table entry. This is not 646 necessarily the same as sysName in MIB II." 647 REFERENCE "RFC 2865 section 5.32" 648 ::= { radiusAccClientExtEntry 4 } 650 -- Server Counters 651 -- 652 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 653 -- UnknownTypes - PacketsDropped - Responses = Pending 654 -- 655 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 656 -- UnknownTypes - PacketsDropped - NoRecords = entries logged 658 radiusAccServExtPacketsDropped OBJECT-TYPE 659 SYNTAX Counter32 660 UNITS "packets" 661 MAX-ACCESS read-only 662 STATUS current 663 DESCRIPTION 664 "The number of incoming packets received from this 665 client and silently discarded for a reason other 666 than malformed, bad authenticators, or unknown types. 667 This counter may experience a discontinuity when the 668 RADIUS Accounting Server module within the managed 669 entity is reinitialized, as indicated by the current 670 value of radiusAccServerCounterDiscontinuity." 671 REFERENCE "RFC 2866 section 3" 672 ::= { radiusAccClientExtEntry 5 } 674 radiusAccServExtRequests OBJECT-TYPE 675 SYNTAX Counter32 676 UNITS "packets" 677 MAX-ACCESS read-only 678 STATUS current 679 DESCRIPTION 680 "The number of packets received from this 681 client on the accounting port. This counter 682 may experience a discontinuity when the 683 RADIUS Accounting Server module within the 684 managed entity is reinitialized, as indicated by 685 the current value of 686 radiusAccServerCounterDiscontinuity." 688 REFERENCE "RFC 2866 section 4.1" 689 ::= { radiusAccClientExtEntry 6 } 691 radiusAccServExtDupRequests OBJECT-TYPE 692 SYNTAX Counter32 693 UNITS "packets" 694 MAX-ACCESS read-only 695 STATUS current 696 DESCRIPTION 697 "The number of duplicate RADIUS Accounting-Request 698 packets received from this client. This counter 699 may experience a discontinuity when the RADIUS 700 Accounting Server module within the managed 701 entity is reinitialized, as indicated by the 702 current value of 703 radiusAccServerCounterDiscontinuity." 704 REFERENCE "RFC 2866 section 4.1" 705 ::= { radiusAccClientExtEntry 7 } 707 radiusAccServExtResponses OBJECT-TYPE 708 SYNTAX Counter32 709 UNITS "packets" 710 MAX-ACCESS read-only 711 STATUS current 712 DESCRIPTION 713 "The number of RADIUS Accounting-Response packets 714 sent to this client. This counter may experience 715 a discontinuity when the RADIUS Accounting Server 716 module within the managed entity is reinitialized, 717 as indicated by the current value of 718 radiusAccServerCounterDiscontinuity." 719 REFERENCE "RFC 2866 section 4.2" 720 ::= { radiusAccClientExtEntry 8 } 722 radiusAccServExtBadAuthenticators OBJECT-TYPE 723 SYNTAX Counter32 724 UNITS "packets" 725 MAX-ACCESS read-only 726 STATUS current 727 DESCRIPTION 728 "The number of RADIUS Accounting-Request packets 729 which contained invalid authenticators received 730 from this client. This counter may experience a 731 discontinuity when the RADIUS Accounting Server 732 module within the managed entity is reinitialized, 733 as indicated by the current value of 734 radiusAccServerCounterDiscontinuity." 735 REFERENCE "RFC 2866 section 3" 736 ::= { radiusAccClientExtEntry 9 } 738 radiusAccServExtMalformedRequests OBJECT-TYPE 739 SYNTAX Counter32 740 UNITS "packets" 741 MAX-ACCESS read-only 742 STATUS current 743 DESCRIPTION 744 "The number of malformed RADIUS Accounting-Request 745 packets which were received from this client. 746 Bad authenticators and unknown types are not 747 included as malformed Accounting-Requests. This 748 counter may experience a discontinuity when the 749 RADIUS Accounting Server module within the managed 750 entity is reinitialized, as indicated by the current 751 value of radiusAccServerCounterDiscontinuity." 752 REFERENCE "RFC 2866 section 3" 753 ::= { radiusAccClientExtEntry 10 } 755 radiusAccServExtNoRecords OBJECT-TYPE 756 SYNTAX Counter32 757 UNITS "packets" 758 MAX-ACCESS read-only 759 STATUS current 760 DESCRIPTION 761 "The number of RADIUS Accounting-Request packets 762 which were received and responded to but not 763 recorded. This counter may experience a 764 discontinuity when the RADIUS Accounting Server 765 module within the managed entity is reinitialized, 766 as indicated by the current value of 767 radiusAccServerCounterDiscontinuity." 768 ::= { radiusAccClientExtEntry 11 } 770 radiusAccServExtUnknownTypes OBJECT-TYPE 771 SYNTAX Counter32 772 UNITS "packets" 773 MAX-ACCESS read-only 774 STATUS current 775 DESCRIPTION 776 "The number of RADIUS packets of unknown type which 777 were received from this client. This counter may 778 experience a discontinuity when the RADIUS Accounting 779 Server module within the managed entity is 780 reinitialized, as indicated by the current value of 781 radiusAccServerCounterDiscontinuity." 782 REFERENCE "RFC 2866 section 4" 783 ::= { radiusAccClientExtEntry 12 } 785 radiusAccServerCounterDiscontinuity OBJECT-TYPE 786 SYNTAX TimeTicks 787 UNITS "centiseconds" 788 MAX-ACCESS read-only 789 STATUS current 790 DESCRIPTION 791 "The number of centiseconds since the last 792 discontinuity in the RADIUS Accounting Server 793 counters. A discontinuity may be the result of 794 a reinitialization of the RADIUS Accounting Server 795 module within the managed entity." 796 ::= { radiusAccClientExtEntry 13 } 798 -- conformance information 800 radiusAccServMIBConformance OBJECT IDENTIFIER 801 ::= { radiusAccServMIB 2 } 803 radiusAccServMIBCompliances OBJECT IDENTIFIER 804 ::= { radiusAccServMIBConformance 1 } 806 radiusAccServMIBGroups OBJECT IDENTIFIER 807 ::= { radiusAccServMIBConformance 2 } 809 -- compliance statements 811 radiusAccServMIBCompliance MODULE-COMPLIANCE 812 STATUS deprecated 813 DESCRIPTION 814 "The compliance statement for accounting servers 815 implementing the RADIUS Accounting Server MIB. 816 Implementation of this module is for IPv4-only 817 entities, or for backwards compatibility use with 818 entities that support both IPv4 and IPv6." 819 MODULE -- this module 820 MANDATORY-GROUPS { radiusAccServMIBGroup } 822 OBJECT radiusAccServConfigReset 823 WRITE-SYNTAX INTEGER { reset(2) } 824 DESCRIPTION "The only SETable value is 'reset' (2)." 826 ::= { radiusAccServMIBCompliances 1 } 828 radiusAccServExtMIBCompliance MODULE-COMPLIANCE 829 STATUS current 830 DESCRIPTION 831 "The compliance statement for accounting 832 servers implementing the RADIUS Accounting 833 Server IPv6 Extensions MIB. Implementation of 834 this module is for entities that support IPv6, 835 or support IPv4 and IPv6." 836 MODULE -- this module 837 MANDATORY-GROUPS { radiusAccServExtMIBGroup } 839 OBJECT radiusAccServConfigReset 840 WRITE-SYNTAX INTEGER { reset(2) } 841 DESCRIPTION "The only SETable value is 'reset' (2)." 843 OBJECT radiusAccClientInetAddressType 844 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 845 DESCRIPTION 846 "An implementation is only required to support 847 IPv4 and globally unique IPv6 addresses." 849 OBJECT radiusAccClientInetAddress 850 SYNTAX InetAddress ( SIZE (4|16) ) 851 DESCRIPTION 852 "An implementation is only required to support 853 IPv4 and globally unique IPv6 addresses." 855 ::= { radiusAccServMIBCompliances 2 } 857 -- units of conformance 859 radiusAccServMIBGroup OBJECT-GROUP 860 OBJECTS {radiusAccServIdent, 861 radiusAccServUpTime, 862 radiusAccServResetTime, 863 radiusAccServConfigReset, 864 radiusAccServTotalRequests, 865 radiusAccServTotalInvalidRequests, 866 radiusAccServTotalDupRequests, 867 radiusAccServTotalResponses, 868 radiusAccServTotalMalformedRequests, 869 radiusAccServTotalBadAuthenticators, 870 radiusAccServTotalPacketsDropped, 871 radiusAccServTotalNoRecords, 872 radiusAccServTotalUnknownTypes, 873 radiusAccClientAddress, 874 radiusAccClientID, 875 radiusAccServPacketsDropped, 876 radiusAccServRequests, 877 radiusAccServDupRequests, 878 radiusAccServResponses, 879 radiusAccServBadAuthenticators, 880 radiusAccServMalformedRequests, 881 radiusAccServNoRecords, 882 radiusAccServUnknownTypes 883 } 884 STATUS deprecated 885 DESCRIPTION 886 "The collection of objects providing management of 887 a RADIUS Accounting Server." 888 ::= { radiusAccServMIBGroups 1 } 890 radiusAccServExtMIBGroup OBJECT-GROUP 891 OBJECTS {radiusAccServIdent, 892 radiusAccServUpTime, 893 radiusAccServResetTime, 894 radiusAccServConfigReset, 895 radiusAccServTotalRequests, 896 radiusAccServTotalInvalidRequests, 897 radiusAccServTotalDupRequests, 898 radiusAccServTotalResponses, 899 radiusAccServTotalMalformedRequests, 900 radiusAccServTotalBadAuthenticators, 901 radiusAccServTotalPacketsDropped, 902 radiusAccServTotalNoRecords, 903 radiusAccServTotalUnknownTypes, 904 radiusAccClientInetAddressType, 905 radiusAccClientInetAddress, 906 radiusAccClientExtID, 907 radiusAccServExtPacketsDropped, 908 radiusAccServExtRequests, 909 radiusAccServExtDupRequests, 910 radiusAccServExtResponses, 911 radiusAccServExtBadAuthenticators, 912 radiusAccServExtMalformedRequests, 913 radiusAccServExtNoRecords, 914 radiusAccServExtUnknownTypes, 915 radiusAccServerCounterDiscontinuity 916 } 917 STATUS current 918 DESCRIPTION 919 "The collection of objects providing management of 920 a RADIUS Accounting Server." 921 ::= { radiusAccServMIBGroups 2 } 923 END 925 8. IANA Considerations 927 This document requires no new IANA assignments. 929 9. Security Considerations 931 There are management objects (radiusAccServConfigReset) defined in 932 this MIB that have a MAX-ACCESS clause of read-write and/or read- 933 create. Such objects may be considered sensitive or vulnerable in 934 some network environments. The support for SET operations in a non- 935 secure environment without proper protection can have a negative 936 effect on network operations. These are: 938 radiusAccServConfigReset This object can be used to reinitialize the 939 persistent state of any server. When set to reset(2), any 940 persistent server state (such as a process) is reinitialized as if 941 the server had just been started. Depending on the server 942 impelmentation details, this action may or may not interrupt the 943 processing of pending request in the server. Abuse of this object 944 may lead to a Denial of Service attack on the server. 946 There are a number of managed objects in this MIB that may contain 947 sensitive information. These are: 949 radiusAccClientIPAddress This can be used to determine the address of 950 the RADIUS accounting client with which the server is 951 communicating. This information could be useful in mounting an 952 attack on the accounting client. 953 radiusAccClientInetAddress This can be used to determine the address 954 of the RADIUS accounting client with which the server is 955 communicating. This information could be useful in mounting an 956 attack on the accounting client. 958 It is thus important to control even GET access to these objects and 959 possibly to even encrypt the values of these object when sending them 960 over the network via SNMP. Not all versions of SNMP provide features 961 for such a secure environment. 963 SNMP versions prior to SNMPv3 do not provide a secure environment. 964 Even if the network itself is secure (for example by using IPsec), 965 there is no control as to who on the secure network is allowed to 966 access and GET/SET (read/change/create/delete) the objects in this 967 MIB. 969 It is RECOMMENDED that implementers consider the security features as 970 provided by the SNMPv3 framework (see [RFC3410], section 8), 971 including full support for the SNMPv3 cryptographic mechanisms (for 972 authentication and privacy). 974 Further, deployment of SNMP versions prior to SNMPv3 is NOT 975 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 976 enable cryptographic security. It is then a customer/operator 977 responsibility to ensure that the SNMP entity giving access to an 978 instance of this MIB module is properly configured to give access to 979 the objects only to those principals (users) that have legitimate 980 rights to indeed GET or SET (change/create/delete) them. 982 10. References 984 10.1. Normative References 986 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 987 Requirement Levels", BCP 14, RFC 2119, March 1997. 989 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 990 Schoenwaelder, Ed., "Structure of Management Information 991 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 993 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 994 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 995 STD 58, RFC 2579, April 1999. 997 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 998 "Conformance Statements for SMIv2", STD 58, RFC 2580, 999 April 1999. 1001 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 1003 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1004 Schoenwaelder, "Textual Conventions for Internet Network 1005 Addresses", RFC 4001, February 2005. 1007 10.2. Informative References 1009 [2620bis] Nelson, D., "RADIUS Accounting Client MIB for IPv6", 1010 draft-ietf-radext-rfc2620bis-04.txt (work in progress), 1011 June 2006. 1013 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 1014 RFC 2621, June 1999. 1016 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1017 "Remote Authentication Dial In User Service (RADIUS)", 1018 RFC 2865, June 2000. 1020 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1021 "Introduction and Applicability Statements for Internet- 1022 Standard Management Framework", RFC 3410, December 2002. 1024 Appendix A. Acknowledgments 1026 The authors of the original MIB are Bernard Aboba and Glen Zorn. 1028 Many thanks to all reviewers, especially to Dave Harrington, Dan 1029 Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. 1031 Author's Address 1033 David B. Nelson 1034 Enterasys Networks 1035 50 Minuteman Road 1036 Andover, MA 01810 1037 USA 1039 Email: dnelson@enterasys.com 1041 Intellectual Property Statement 1043 The IETF takes no position regarding the validity or scope of any 1044 Intellectual Property Rights or other rights that might be claimed to 1045 pertain to the implementation or use of the technology described in 1046 this document or the extent to which any license under such rights 1047 might or might not be available; nor does it represent that it has 1048 made any independent effort to identify any such rights. Information 1049 on the procedures with respect to rights in RFC documents can be 1050 found in BCP 78 and BCP 79. 1052 Copies of IPR disclosures made to the IETF Secretariat and any 1053 assurances of licenses to be made available, or the result of an 1054 attempt made to obtain a general license or permission for the use of 1055 such proprietary rights by implementers or users of this 1056 specification can be obtained from the IETF on-line IPR repository at 1057 http://www.ietf.org/ipr. 1059 The IETF invites any interested party to bring to its attention any 1060 copyrights, patents or patent applications, or other proprietary 1061 rights that may cover technology that may be required to implement 1062 this standard. Please address the information to the IETF at 1063 ietf-ipr@ietf.org. 1065 Disclaimer of Validity 1067 This document and the information contained herein are provided on an 1068 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1069 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1070 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1071 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1072 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1073 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1075 Copyright Statement 1077 Copyright (C) The Internet Society (2006). This document is subject 1078 to the rights, licenses and restrictions contained in BCP 78, and 1079 except as set forth therein, the authors retain all their rights. 1081 Acknowledgment 1083 Funding for the RFC Editor function is currently provided by the 1084 Internet Society.