idnits 2.17.1 draft-ietf-radext-dynauth-client-mib-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1093. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1070. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1077. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1083. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC2865]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 15, 2006) is 6519 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) == Outdated reference: A later version (-06) exists of draft-ietf-radext-dynauth-server-mib-05 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-01 Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: December 17, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 June 15, 2006 9 Dynamic Authorization Client MIB 10 draft-ietf-radext-dynauth-client-mib-06.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on December 17, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2006). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the Remote Authentication Dial In User 46 Service (RADIUS) [RFC2865] Dynamic Authorization Client (DAC) 47 functions that support the dynamic authorization extensions as 48 defined in RFC 3576. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. The Internet-Standard Management Framework . . . . . . . . . . 4 56 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4. RADIUS Dynamic Authorization Client MIB Definitions . . . . . 6 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 23 59 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 25 60 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 26 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 27 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 27 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 65 Intellectual Property and Copyright Statements . . . . . . . . . . 30 67 1. Introduction 69 This memo defines a portion of the Management Information Base (MIB) 70 for use with network management protocols in the Internet community. 71 It is becoming increasingly important to support Dynamic 72 Authorization extensions on the network access server (NAS) devices 73 to handle the Disconnect and Change-of-Authorization (CoA) messages 74 as described in [RFC3576]. As a result, the effective management of 75 RADIUS Dynamic Authorization entities is of considerable importance. 76 This RADIUS Dynamic Authorization Client MIB complements the managed 77 objects used for managing RADIUS authentication and accounting 78 servers as described in [RFC2619bis] and [RFC2621bis], respectively. 80 -- RFC Ed.: references [DYNSERV], [RFC2619bis], [RFC2621bis] should 81 -- be replaced by references to the corresponding RFC. 83 1.1. Requirements notation 85 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 86 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 87 document are to be interpreted as described in [RFC2119]. 89 1.2. Terminology 91 Dynamic Authorization Server (DAS) 93 The component that resides on the NAS which processes the Disconnect 94 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 95 the Dynamic Authorization Client. 97 Dynamic Authorization Client (DAC) 99 The component which sends Disconnect and CoA-Request packets to the 100 Dynamic Authorization Server. While often residing on the RADIUS 101 server, it is also possible for this component to be located on a 102 separate host, such as a Rating Engine. 104 Dynamic Authorization Server Port 106 The UDP port on which the Dynamic Authorization Server listens for 107 the Disconnect and CoA requests sent by the Dynamic Authorization 108 Client. 110 2. The Internet-Standard Management Framework 112 For a detailed overview of the documents that describe the current 113 Internet-Standard Management Framework, please refer to section 7 of 114 [RFC3410]. 116 Managed objects are accessed via a virtual information store, termed 117 the Management Information Base or MIB. MIB objects are generally 118 accessed through the Simple Network Management Protocol (SNMP). 119 Objects in the MIB are defined using the mechanisms defined in the 120 Structure of Management Information (SMI). This memo specifies a MIB 121 module that is compliant to the SMIv2, which is described in STD 58, 122 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 123 [RFC2580]. 125 3. Overview 127 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 128 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 129 Request, CoA-ACK and CoA-NAK packets. [DYNSERV] defines the Dynamic 130 Authorization Server MIB and the relationship with other MIB modules. 131 This MIB module for the Dynamic Authorization Client contains the 132 following: 134 1. Two scalar objects, and 136 2. One Dynamic Authorization Server table. This table contains one 137 row for each DAS that the DAC shares a secret with. 139 4. RADIUS Dynamic Authorization Client MIB Definitions 141 RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 143 IMPORTS 144 MODULE-IDENTITY, OBJECT-TYPE, 145 Counter32, Gauge32, Integer32, 146 mib-2, TimeTicks FROM SNMPv2-SMI -- [RFC2578] 147 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 148 InetAddressType, InetAddress, 149 InetPortNumber FROM INET-ADDRESS-MIB -- [RFC4001] 150 MODULE-COMPLIANCE, 151 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 153 radiusDynAuthClientMIB MODULE-IDENTITY 154 LAST-UPDATED "200606060000Z" -- 6 June 2006 155 ORGANIZATION "IETF RADEXT Working Group" 156 CONTACT-INFO 157 " Stefaan De Cnodder 158 Alcatel 159 Francis Wellesplein 1 160 B-2018 Antwerp 161 Belgium 163 Phone: +32 3 240 85 15 164 EMail: stefaan.de_cnodder@alcatel.be 166 Nagi Reddy Jonnala 167 Cisco Systems, Inc. 168 Divyasree Chambers, B Wing, 169 O'Shaugnessy Road, 170 Bangalore-560027, India. 172 Phone: +91 94487 60828 173 EMail: njonnala@cisco.com 175 Murtaza Chiba 176 Cisco Systems, Inc. 177 170 West Tasman Dr. 178 San Jose CA, 95134 180 Phone: +1 408 525 7198 181 EMail: mchiba@cisco.com " 182 DESCRIPTION 183 "The MIB module for entities implementing the client 184 side of the Dynamic Authorization Extensions to Remote 185 Authentication Dial In User Service (RADIUS) protocol. 187 Copyright (C) The Internet Society (2006). Initial 188 version as published in RFC yyyy; 189 for full legal notices see the RFC itself." 190 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 192 REVISION "200606060000Z" -- 6 June 2006 193 DESCRIPTION "Initial version as published in RFC yyyy" 194 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 195 ::= { mib-2 xxx } 196 -- The value xxx to be assigned by IANA. 198 radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::= 199 { radiusDynAuthClientMIB 1 } 201 radiusDynAuthClientScalars OBJECT IDENTIFIER ::= 202 { radiusDynAuthClientMIBObjects 1 } 204 radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE 205 SYNTAX Counter32 206 MAX-ACCESS read-only 207 STATUS current 208 DESCRIPTION 209 "The number of Disconnect-Ack and Disconnect-NAK packets 210 received from unknown addresses. This counter may 211 experience a discontinuity when the DAC module 212 (re)starts as indicated by the value of 213 radiusDynAuthClientCounterDiscontinuity." 214 ::= { radiusDynAuthClientScalars 1 } 216 radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE 217 SYNTAX Counter32 218 MAX-ACCESS read-only 219 STATUS current 220 DESCRIPTION 221 "The number of CoA-Ack and CoA-NAK packets received from 222 unknown addresses. Disconnect-NAK packets received from 223 unknown addresses. This counter may experience a 224 discontinuity when the DAC module (re)starts as 225 indicated by the value of 226 radiusDynAuthClientCounterDiscontinuity." 227 ::= { radiusDynAuthClientScalars 2 } 229 radiusDynAuthServerTable OBJECT-TYPE 230 SYNTAX SEQUENCE OF RadiusDynAuthServerEntry 231 MAX-ACCESS not-accessible 232 STATUS current 233 DESCRIPTION 234 "The (conceptual) table listing the RADIUS Dynamic 235 Authorization Servers with which the client shares a 236 secret." 237 ::= { radiusDynAuthClientMIBObjects 2 } 239 radiusDynAuthServerEntry OBJECT-TYPE 240 SYNTAX RadiusDynAuthServerEntry 241 MAX-ACCESS not-accessible 242 STATUS current 243 DESCRIPTION 244 "An entry (conceptual row) representing one Dynamic 245 Authorization Server with which the client shares a 246 secret." 247 INDEX { radiusDynAuthServerIndex } 248 ::= { radiusDynAuthServerTable 1 } 250 RadiusDynAuthServerEntry ::= SEQUENCE { 251 radiusDynAuthServerIndex Integer32, 252 radiusDynAuthServerAddressType InetAddressType, 253 radiusDynAuthServerAddress InetAddress, 254 radiusDynAuthServerClientPortNumber InetPortNumber, 255 radiusDynAuthServerID SnmpAdminString, 256 radiusDynAuthClientRoundTripTime TimeTicks, 257 radiusDynAuthClientDisconRequests Counter32, 258 radiusDynAuthClientDisconAuthOnlyRequests Counter32, 259 radiusDynAuthClientDisconRetransmissions Counter32, 260 radiusDynAuthClientDisconAcks Counter32, 261 radiusDynAuthClientDisconNaks Counter32, 262 radiusDynAuthClientDisconNakAuthOnlyRequest Counter32, 263 radiusDynAuthClientDisconNakSessNoContext Counter32, 264 radiusDynAuthClientMalformedDisconResponses Counter32, 265 radiusDynAuthClientDisconBadAuthenticators Counter32, 266 radiusDynAuthClientDisconPendingRequests Gauge32, 267 radiusDynAuthClientDisconTimeouts Counter32, 268 radiusDynAuthClientDisconPacketsDropped Counter32, 269 radiusDynAuthClientCoARequests Counter32, 270 radiusDynAuthClientCoAAuthOnlyRequest Counter32, 271 radiusDynAuthClientCoARetransmissions Counter32, 272 radiusDynAuthClientCoAAcks Counter32, 273 radiusDynAuthClientCoANaks Counter32, 274 radiusDynAuthClientCoANakAuthOnlyRequest Counter32, 275 radiusDynAuthClientCoANakSessNoContext Counter32, 276 radiusDynAuthClientMalformedCoAResponses Counter32, 277 radiusDynAuthClientCoABadAuthenticators Counter32, 278 radiusDynAuthClientCoAPendingRequests Gauge32, 279 radiusDynAuthClientCoATimeouts Counter32, 280 radiusDynAuthClientCoAPacketsDropped Counter32, 281 radiusDynAuthClientUnknownTypes Counter32, 282 radiusDynAuthClientCounterDiscontinuity TimeTicks 284 } 286 radiusDynAuthServerIndex OBJECT-TYPE 287 SYNTAX Integer32 (1..2147483647) 288 MAX-ACCESS not-accessible 289 STATUS current 290 DESCRIPTION 291 "A number uniquely identifying each RADIUS Dynamic 292 Authorization Server with which this Dynamic 293 Authorization Client communicates. This number is 294 allocated by the agent implementing this MIB module, 295 and is unique in this context." 296 ::= { radiusDynAuthServerEntry 1 } 298 radiusDynAuthServerAddressType OBJECT-TYPE 299 SYNTAX InetAddressType 300 MAX-ACCESS read-only 301 STATUS current 302 DESCRIPTION 303 "The type of IP address of the RADIUS Dynamic 304 Authorization Server referred to in this table entry." 305 ::= { radiusDynAuthServerEntry 2 } 307 radiusDynAuthServerAddress OBJECT-TYPE 308 SYNTAX InetAddress 309 MAX-ACCESS read-only 310 STATUS current 311 DESCRIPTION 312 "The IP address value of the RADIUS Dynamic 313 Authorization Server referred to in this table entry 314 using the version neutral IP address format. The type 315 of this address is determined by the value of the 316 radiusDynAuthServerAddressType object." 317 ::= { radiusDynAuthServerEntry 3 } 319 radiusDynAuthServerClientPortNumber OBJECT-TYPE 320 SYNTAX InetPortNumber (1..65535) 321 MAX-ACCESS read-only 322 STATUS current 323 DESCRIPTION 324 "The UDP destination port that the RADIUS Dynamic 325 Authorization Client is using to send requests to this 326 server. The value zero is invalid." 327 ::= { radiusDynAuthServerEntry 4 } 329 radiusDynAuthServerID OBJECT-TYPE 330 SYNTAX SnmpAdminString 331 MAX-ACCESS read-only 332 STATUS current 333 DESCRIPTION 334 "The NAS-Identifier of the RADIUS Dynamic Authorization 335 Server referred to in this table entry. This is not 336 necessarily the same as sysName in MIB II." 337 REFERENCE 338 "RFC 2865, Section 5.32, NAS-Identifier." 339 ::= { radiusDynAuthServerEntry 5 } 341 radiusDynAuthClientRoundTripTime OBJECT-TYPE 342 SYNTAX TimeTicks 343 UNITS "hundredths of a second" 344 MAX-ACCESS read-only 345 STATUS current 346 DESCRIPTION 347 "The time interval (in hundredths of a second) between 348 the most recent Disconnect or CoA request and the 349 reception of the corresponding Disconnect or CoA reply. 350 A value of zero is returned in case no reply has been 351 received yet from this server." 352 ::= { radiusDynAuthServerEntry 6 } 354 radiusDynAuthClientDisconRequests OBJECT-TYPE 355 SYNTAX Counter32 356 UNITS "requests" 357 MAX-ACCESS read-only 358 STATUS current 359 DESCRIPTION 360 "The number of RADIUS Disconnect-Requests sent 361 to this Dynamic Authorization Server. This also 362 includes the RADIUS Disconnect-Requests that have a 363 Service-Type attribute with value 'Authorize Only'. 364 Disconnect-NAK packets received from unknown addresses. 365 This counter may experience a discontinuity when the 366 DAC module (re)starts as indicated by the value of 367 radiusDynAuthClientCounterDiscontinuity." 368 REFERENCE 369 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 370 ::= { radiusDynAuthServerEntry 7 } 372 radiusDynAuthClientDisconAuthOnlyRequests OBJECT-TYPE 373 SYNTAX Counter32 374 UNITS "requests" 375 MAX-ACCESS read-only 376 STATUS current 377 DESCRIPTION 378 "The number of RADIUS Disconnect-Requests that include a 379 Service-Type attribute with value 'Authorize Only' 380 sent to this Dynamic Authorization Server. 381 Disconnect-NAK packets received from unknown addresses. 382 This counter may experience a discontinuity when the 383 DAC module (re)starts as indicated by the value of 384 radiusDynAuthClientCounterDiscontinuity." 385 REFERENCE 386 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 387 ::= { radiusDynAuthServerEntry 8 } 389 radiusDynAuthClientDisconRetransmissions OBJECT-TYPE 390 SYNTAX Counter32 391 UNITS "retransmissions" 392 MAX-ACCESS read-only 393 STATUS current 394 DESCRIPTION 395 "The number of RADIUS Disconnect-request packets 396 retransmitted to this RADIUS Dynamic Authorization 397 Server. Disconnect-NAK packets received from unknown 398 addresses. This counter may experience a discontinuity 399 when the DAC module (re)starts as indicated by the 400 value of radiusDynAuthClientCounterDiscontinuity." 401 REFERENCE 402 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 403 ::= { radiusDynAuthServerEntry 9 } 405 radiusDynAuthClientDisconAcks OBJECT-TYPE 406 SYNTAX Counter32 407 UNITS "replies" 408 MAX-ACCESS read-only 409 STATUS current 410 DESCRIPTION 411 "The number of RADIUS Disconnect-ACK packets 412 received from this Dynamic Authorization Server. This 413 counter may experience a discontinuity when the DAC 414 module (re)starts as indicated by the value of 415 radiusDynAuthClientCounterDiscontinuity." 416 REFERENCE 417 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 418 ::= { radiusDynAuthServerEntry 10 } 420 radiusDynAuthClientDisconNaks OBJECT-TYPE 421 SYNTAX Counter32 422 UNITS "replies" 423 MAX-ACCESS read-only 424 STATUS current 425 DESCRIPTION 426 "The number of RADIUS Disconnect-NAK packets 427 received from this Dynamic Authorization Server. 428 This includes the RADIUS Disconnect-NAK packets 429 received with a Service-Type attribute with value 430 'Authorize Only' and the RADIUS Disconnect-NAK 431 packets received no session context was found. This 432 counter may experience a discontinuity when the DAC 433 module (re)starts as indicated by the value of 434 radiusDynAuthClientCounterDiscontinuity." 435 REFERENCE 436 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 437 ::= { radiusDynAuthServerEntry 11 } 439 radiusDynAuthClientDisconNakAuthOnlyRequest OBJECT-TYPE 440 SYNTAX Counter32 441 UNITS "replies" 442 MAX-ACCESS read-only 443 STATUS current 444 DESCRIPTION 445 "The number of RADIUS Disconnect-NAK packets 446 that include a Service-Type attribute with value 447 'Authorize Only' received from this Dynamic 448 Authorization Server. This counter may experience a 449 discontinuity when the DAC module (re)starts as 450 indicated by the value of 451 radiusDynAuthClientCounterDiscontinuity." 452 REFERENCE 453 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 454 ::= { radiusDynAuthServerEntry 12 } 456 radiusDynAuthClientDisconNakSessNoContext OBJECT-TYPE 457 SYNTAX Counter32 458 UNITS "replies" 459 MAX-ACCESS read-only 460 STATUS current 461 DESCRIPTION 462 "The number of RADIUS Disconnect-NAK packets 463 received from this Dynamic Authorization Server 464 because no session context was found, i.e. it 465 includes an Error-Cause attribute with value 503 466 ('Session Context Not Found'). This counter may 467 experience a discontinuity when the DAC module 468 (re)starts as indicated by the value of 469 radiusDynAuthClientCounterDiscontinuity." 470 REFERENCE 471 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 472 ::= { radiusDynAuthServerEntry 13 } 474 radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE 475 SYNTAX Counter32 476 UNITS "replies" 477 MAX-ACCESS read-only 478 STATUS current 479 DESCRIPTION 480 "The number of malformed RADIUS Disconnect-Ack and 481 Disconnect-NAK packets received from this Dynamic 482 Authorization Server. Bad authenticators and unknown 483 types are not included as malformed Disconnect-Ack and 484 Disconnect-NAK packets. This counter may experience a 485 discontinuity when the DAC module (re)starts as 486 indicated by the value of 487 radiusDynAuthClientCounterDiscontinuity." 488 REFERENCE 489 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 490 Section 2.3, Packet Format." 491 ::= { radiusDynAuthServerEntry 14 } 493 radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE 494 SYNTAX Counter32 495 UNITS "replies" 496 MAX-ACCESS read-only 497 STATUS current 498 DESCRIPTION 499 "The number of RADIUS Disconnect-Ack and Disconnect-NAK 500 packets which contained invalid Authenticator field 501 received from this Dynamic Authorization Server. This 502 counter may experience a discontinuity when the DAC 503 module (re)starts as indicated by the value of 504 radiusDynAuthClientCounterDiscontinuity." 505 REFERENCE 506 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 507 Section 2.3, Packet Format." 508 ::= { radiusDynAuthServerEntry 15 } 510 radiusDynAuthClientDisconPendingRequests OBJECT-TYPE 511 SYNTAX Gauge32 512 UNITS "requests" 513 MAX-ACCESS read-only 514 STATUS current 515 DESCRIPTION 516 "The number of RADIUS Disconnect-request packets 517 destined for this server that have not yet timed out 518 or received a response. This variable is incremented 519 when an Disconnect-Request is sent and decremented 520 due to receipt of an Disconnect-Ack, Disconnect-NAK 521 or a timeout or a retransmission." 523 REFERENCE 524 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 525 ::= { radiusDynAuthServerEntry 16 } 527 radiusDynAuthClientDisconTimeouts OBJECT-TYPE 528 SYNTAX Counter32 529 UNITS "timeouts" 530 MAX-ACCESS read-only 531 STATUS current 532 DESCRIPTION 533 "The number of Disconnect request timeouts to this 534 server. After a timeout the client may retry to the 535 same server or give up. A retry to the same server is 536 counted as a retransmit as well as a timeout. A send 537 to a different server is counted as a 538 Disconnect-Request as well as a timeout. This counter 539 may experience a discontinuity when the DAC module 540 (re)starts as indicated by the value of 541 radiusDynAuthClientCounterDiscontinuity." 542 REFERENCE 543 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 544 ::= { radiusDynAuthServerEntry 17 } 546 radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE 547 SYNTAX Counter32 548 UNITS "replies" 549 MAX-ACCESS read-only 550 STATUS current 551 DESCRIPTION 552 "The number of incoming Disconnect-Ack and 553 Disconnect-NAK packets from this Dynamic Authorization 554 Server silently discarded by the client application for 555 some reason other than malformed, bad authenticators or 556 unknown types. This counter may experience a 557 discontinuity when the DAC module (re)starts as 558 indicated by the value of 559 radiusDynAuthClientCounterDiscontinuity." 560 REFERENCE 561 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 562 Section 2.3, Packet Format." 563 ::= { radiusDynAuthServerEntry 18 } 565 radiusDynAuthClientCoARequests OBJECT-TYPE 566 SYNTAX Counter32 567 UNITS "requests" 568 MAX-ACCESS read-only 569 STATUS current 570 DESCRIPTION 571 "The number of RADIUS CoA-Requests sent to this 572 Dynamic Authorization Server. This also includes 573 the CoA requests that have a Service-Type attribute 574 with value 'Authorize Only'. This counter may 575 experience a discontinuity when the DAC module 576 (re)starts as indicated by the value of 577 radiusDynAuthClientCounterDiscontinuity." 578 REFERENCE 579 "RFC 3576, Section 2.2, Change-of-Authorization 580 Messages (CoA)." 581 ::= { radiusDynAuthServerEntry 19 } 583 radiusDynAuthClientCoAAuthOnlyRequest OBJECT-TYPE 584 SYNTAX Counter32 585 UNITS "requests" 586 MAX-ACCESS read-only 587 STATUS current 588 DESCRIPTION 589 "The number of RADIUS CoA-requests that include a 590 Service-Type attribute with value 'Authorize Only' 591 sent to this Dynamic Authorization Client. This counter 592 may experience a discontinuity when the DAC module 593 (re)starts as indicated by the value of 594 radiusDynAuthClientCounterDiscontinuity." 595 REFERENCE 596 "RFC 3576, Section 2.2, Change-of-Authorization 597 Messages (CoA)." 598 ::= { radiusDynAuthServerEntry 20 } 600 radiusDynAuthClientCoARetransmissions OBJECT-TYPE 601 SYNTAX Counter32 602 UNITS "retransmissions" 603 MAX-ACCESS read-only 604 STATUS current 605 DESCRIPTION 606 "The number of RADIUS CoA-request packets 607 retransmitted to this RADIUS Dynamic Authorization 608 Server. This counter may experience a discontinuity 609 when the DAC module (re)starts as indicated by the 610 value of radiusDynAuthClientCounterDiscontinuity." 611 REFERENCE 612 "RFC 3576, Section 2.2, Change-of-Authorization 613 Messages (CoA)." 614 ::= { radiusDynAuthServerEntry 21 } 616 radiusDynAuthClientCoAAcks OBJECT-TYPE 617 SYNTAX Counter32 618 UNITS "replies" 619 MAX-ACCESS read-only 620 STATUS current 621 DESCRIPTION 622 "The number of RADIUS CoA-ACK packets received from 623 this Dynamic Authorization Server. This counter may 624 experience a discontinuity when the DAC module 625 (re)starts as indicated by the value of 626 radiusDynAuthClientCounterDiscontinuity." 627 REFERENCE 628 "RFC 3576, Section 2.2, Change-of-Authorization 629 Messages (CoA)." 630 ::= { radiusDynAuthServerEntry 22 } 632 radiusDynAuthClientCoANaks OBJECT-TYPE 633 SYNTAX Counter32 634 UNITS "replies" 635 MAX-ACCESS read-only 636 STATUS current 637 DESCRIPTION 638 "The number of RADIUS CoA-NAK packets received from 639 this Dynamic Authorization Server. This includes the 640 RADIUS CoA-NAK packets received with a Service-Type 641 attribute with value 'Authorize Only' and the RADIUS 642 CoA-NAK packets received because no session context 643 was found. This counter may experience a discontinuity 644 when the DAC module (re)starts as indicated by the 645 value of radiusDynAuthClientCounterDiscontinuity." 646 REFERENCE 647 "RFC 3576, Section 2.2, Change-of-Authorization 648 Messages (CoA)." 649 ::= { radiusDynAuthServerEntry 23 } 651 radiusDynAuthClientCoANakAuthOnlyRequest OBJECT-TYPE 652 SYNTAX Counter32 653 UNITS "replies" 654 MAX-ACCESS read-only 655 STATUS current 656 DESCRIPTION 657 "The number of RADIUS CoA-NAK packets that include a 658 Service-Type attribute with value 'Authorize Only' 659 received from this Dynamic Authorization Server. This 660 counter may experience a discontinuity when the DAC 661 module (re)starts as indicated by the value of 662 radiusDynAuthClientCounterDiscontinuity." 663 REFERENCE 664 "RFC 3576, Section 2.2, Change-of-Authorization 665 Messages (CoA)." 666 ::= { radiusDynAuthServerEntry 24 } 668 radiusDynAuthClientCoANakSessNoContext OBJECT-TYPE 669 SYNTAX Counter32 670 UNITS "replies" 671 MAX-ACCESS read-only 672 STATUS current 673 DESCRIPTION 674 "The number of RADIUS CoA-NAK packets received from 675 this Dynamic Authorization Server because no session 676 context was found, i.e. it includes an Error-Cause 677 attribute with value 503 ('Session Context Not Found'). 678 This counter may experience a discontinuity when the 679 DAC module (re)starts as indicated by the value of 680 radiusDynAuthClientCounterDiscontinuity." 681 REFERENCE 682 "RFC 3576, Section 2.2, Change-of-Authorization 683 Messages (CoA)." 684 ::= { radiusDynAuthServerEntry 25 } 686 radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE 687 SYNTAX Counter32 688 UNITS "replies" 689 MAX-ACCESS read-only 690 STATUS current 691 DESCRIPTION 692 "The number of malformed RADIUS CoA-Ack and CoA-NAK 693 packets received from this Dynamic Authorization 694 Server. Bad authenticators and unknown types are 695 not included as malformed CoA-Ack and CoA-NAK packets. 696 This counter may experience a discontinuity when the 697 DAC module (re)starts as indicated by the value of 698 radiusDynAuthClientCounterDiscontinuity." 699 REFERENCE 700 "RFC 3576, Section 2.2, Change-of-Authorization 701 Messages (CoA), and Section 2.3, Packet Format." 702 ::= { radiusDynAuthServerEntry 26 } 704 radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE 705 SYNTAX Counter32 706 UNITS "replies" 707 MAX-ACCESS read-only 708 STATUS current 709 DESCRIPTION 710 "The number of RADIUS CoA-Ack and CoA-NAK packets 711 which contained invalid Authenticator field 712 received from this Dynamic Authorization Server. 713 This counter may experience a discontinuity when the 714 DAC module (re)starts as indicated by the value of 715 radiusDynAuthClientCounterDiscontinuity." 717 REFERENCE 718 "RFC 3576, Section 2.2, Change-of-Authorization 719 Messages (CoA), and Section 2.3, Packet Format." 720 ::= { radiusDynAuthServerEntry 27 } 722 radiusDynAuthClientCoAPendingRequests OBJECT-TYPE 723 SYNTAX Gauge32 724 UNITS "requests" 725 MAX-ACCESS read-only 726 STATUS current 727 DESCRIPTION 728 "The number of RADIUS CoA-request packets destined for 729 this server that have not yet timed out or received a 730 response. This variable is incremented when an 731 CoA-Request is sent and decremented due to receipt of 732 a CoA-Ack, CoA-NAK or a timeout or a retransmission." 733 REFERENCE 734 "RFC 3576, Section 2.2, Change-of-Authorization 735 Messages (CoA)." 736 ::= { radiusDynAuthServerEntry 28 } 738 radiusDynAuthClientCoATimeouts OBJECT-TYPE 739 SYNTAX Counter32 740 UNITS "timeouts" 741 MAX-ACCESS read-only 742 STATUS current 743 DESCRIPTION 744 "The number of CoA request timeouts to this server. 745 After a timeout the client may retry to the same 746 server or give up. A retry to the same server is 747 counted as a retransmit as well as a timeout. A send to 748 a different server is counted as a CoA-Request as well 749 as a timeout. This counter may experience a 750 discontinuity when the DAC module (re)starts as 751 indicated by the value of 752 radiusDynAuthClientCounterDiscontinuity." 753 REFERENCE 754 "RFC 3576, Section 2.2, Change-of-Authorization 755 Messages (CoA)." 756 ::= { radiusDynAuthServerEntry 29 } 758 radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE 759 SYNTAX Counter32 760 UNITS "replies" 761 MAX-ACCESS read-only 762 STATUS current 763 DESCRIPTION 764 "The number of incoming CoA-Ack and CoA-NAK from this 765 Dynamic Authorization Server silently discarded by the 766 client application for some reason other than 767 malformed, bad authenticators or unknown types. This 768 counter may experience a discontinuity when the DAC 769 module (re)starts as indicated by the value of 770 radiusDynAuthClientCounterDiscontinuity." 771 REFERENCE 772 "RFC 3576, Section 2.2, Change-of-Authorization 773 Messages (CoA), and Section 2.3, Packet Format." 774 ::= { radiusDynAuthServerEntry 30 } 776 radiusDynAuthClientUnknownTypes OBJECT-TYPE 777 SYNTAX Counter32 778 UNITS "replies" 779 MAX-ACCESS read-only 780 STATUS current 781 DESCRIPTION 782 "The number of incoming packets of unknown types 783 which were received on the Dynamic Authorization port. 784 This counter may experience a discontinuity when the 785 DAC module (re)starts as indicated by the value of 786 radiusDynAuthClientCounterDiscontinuity." 787 REFERENCE 788 "RFC 3576, Section 2.3, Packet Format." 789 ::= { radiusDynAuthServerEntry 31 } 791 radiusDynAuthClientCounterDiscontinuity OBJECT-TYPE 792 SYNTAX TimeTicks 793 UNITS "hundredths of a second" 794 MAX-ACCESS read-only 795 STATUS current 796 DESCRIPTION 797 "The time (in hundredths of a second) since the 798 last counter discontinuity. A discontinuity may 799 be the result of a reinitialization of the DAC 800 module within the managed entity." 801 ::= { radiusDynAuthServerEntry 32 } 803 -- conformance information 805 radiusDynAuthClientMIBConformance 806 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 } 807 radiusDynAuthClientMIBCompliances 808 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 } 809 radiusDynAuthClientMIBGroups 810 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 } 812 -- compliance statements 814 radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE 815 STATUS current 816 DESCRIPTION 817 "The compliance statement for entities implementing 818 the RADIUS Dynamic Authorization Client. Implementation 819 of this module is for entities that support IPv4 and/or 820 IPv6." 821 MODULE -- this module 822 MANDATORY-GROUPS { radiusDynAuthClientMIBGroup } 824 OBJECT radiusDynAuthServerAddressType 825 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 826 DESCRIPTION 827 "An implementation is only required to support IPv4 and 828 globally unique IPv6 addresses." 830 OBJECT radiusDynAuthServerAddress 831 SYNTAX InetAddress (SIZE(4|16)) 832 DESCRIPTION 833 "An implementation is only required to support IPv4 and 834 globally unique IPv6 addresses." 836 GROUP radiusDynAuthClientAuthOnlyGroup 837 DESCRIPTION 838 "Only required for Dynamic Authorization Clients that 839 are supporting Service-Type attributes with value 840 'Authorize-Only'." 842 GROUP radiusDynAuthClientNoSessGroup 843 DESCRIPTION 844 "This group is not required in case the Dynamic 845 Authorization Server can not easily determine whether 846 a session exists or not (e.g., in case of a RADIUS 847 proxy)." 849 ::= { radiusDynAuthClientMIBCompliances 1 } 851 -- units of conformance 853 radiusDynAuthClientMIBGroup OBJECT-GROUP 854 OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses, 855 radiusDynAuthClientCoAInvalidServerAddresses, 856 radiusDynAuthServerAddressType, 857 radiusDynAuthServerAddress, 858 radiusDynAuthServerClientPortNumber, 859 radiusDynAuthServerID, 860 radiusDynAuthClientRoundTripTime, 861 radiusDynAuthClientDisconRequests, 862 radiusDynAuthClientDisconRetransmissions, 863 radiusDynAuthClientDisconAcks, 864 radiusDynAuthClientDisconNaks, 865 radiusDynAuthClientMalformedDisconResponses, 866 radiusDynAuthClientDisconBadAuthenticators, 867 radiusDynAuthClientDisconPendingRequests, 868 radiusDynAuthClientDisconTimeouts, 869 radiusDynAuthClientDisconPacketsDropped, 870 radiusDynAuthClientCoARequests, 871 radiusDynAuthClientCoARetransmissions, 872 radiusDynAuthClientCoAAcks, 873 radiusDynAuthClientCoANaks, 874 radiusDynAuthClientMalformedCoAResponses, 875 radiusDynAuthClientCoABadAuthenticators, 876 radiusDynAuthClientCoAPendingRequests, 877 radiusDynAuthClientCoATimeouts, 878 radiusDynAuthClientCoAPacketsDropped, 879 radiusDynAuthClientUnknownTypes, 880 radiusDynAuthClientCounterDiscontinuity 881 } 882 STATUS current 883 DESCRIPTION 884 "The collection of objects providing management of 885 a RADIUS Dynamic Authorization Client." 886 ::= { radiusDynAuthClientMIBGroups 1 } 888 radiusDynAuthClientAuthOnlyGroup OBJECT-GROUP 889 OBJECTS { radiusDynAuthClientDisconAuthOnlyRequests, 890 radiusDynAuthClientDisconNakAuthOnlyRequest, 891 radiusDynAuthClientCoAAuthOnlyRequest, 892 radiusDynAuthClientCoANakAuthOnlyRequest 893 } 894 STATUS current 895 DESCRIPTION 896 "The collection of objects supporting the RADIUS 897 messages including Service-Type attribute with 898 value 'Authorize Only'." 899 ::= { radiusDynAuthClientMIBGroups 2 } 901 radiusDynAuthClientNoSessGroup OBJECT-GROUP 902 OBJECTS { radiusDynAuthClientDisconNakSessNoContext, 903 radiusDynAuthClientCoANakSessNoContext 904 } 905 STATUS current 906 DESCRIPTION 907 "The collection of objects supporting the RADIUS 908 messages that are referring to non existing sessions." 909 ::= { radiusDynAuthClientMIBGroups 3 } 911 END 913 5. Security Considerations 915 There are no management objects defined in this MIB module that have 916 a MAX-ACCESS clause of read-write and/or read-create. So, if this 917 MIB module is implemented correctly, then there is no risk that an 918 intruder can alter or create any management objects of this MIB 919 module via direct SNMP SET operations 921 Some of the readable objects in this MIB module (i.e., objects with a 922 MAX-ACCESS other than not-accessible) may be considered sensitive or 923 vulnerable in some network environments. It is thus important to 924 control even GET and/or NOTIFY access to these objects and possibly 925 to even encrypt the values of these objects when sending them over 926 the network via SNMP. These are the tables and objects and their 927 sensitivity/vulnerability: 929 radiusDynAuthServerAddress and radiusDynAuthServerAddressType 931 These can be used to determine the address of the DAS with which the 932 DAC is communicating. This information could be useful in mounting 933 an attack on the DAS. 935 radiusDynAuthServerID 937 This can be used to determine the Identifier of the DAS. This 938 information could be useful in impersonating the DAS. 940 radiusDynAuthServerClientPortNumber 942 This can be used to determine the destination port number to which 943 the DAC is sending. This information could be useful in mounting an 944 attack on the DAS. 946 SNMP versions prior to SNMPv3 did not include adequate security. 947 Even if the network itself is secure (for example by using IPsec), 948 even then, there is no control as to who on the secure network is 949 allowed to access and GET/SET (read/change/create/delete) the objects 950 in this MIB module. 952 It is RECOMMENDED that implementers consider the security features as 953 provided by the SNMPv3 framework (see [RFC3410], section 8), 954 including full support for the SNMPv3 cryptographic mechanisms (for 955 authentication and privacy). 957 Further, deployment of SNMP versions prior to SNMPv3 is NOT 958 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 959 enable cryptographic security. It is then a customer/operator 960 responsibility to ensure that the SNMP entity giving access to an 961 instance of this MIB module is properly configured to give access to 962 the objects only to those principals (users) that have legitimate 963 rights to indeed GET or SET (change/create/delete) them. 965 6. IANA considerations 967 IANA is requested to assign an OID under mib-2. 969 7. Acknowledgements 971 The authors would also like to acknowledge the following people for 972 their comments on this document: Bernard Aboba, Alan DeKok, David 973 Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg 974 Weber, Bert Wijnen and Glen Zorn. 976 8. References 978 8.1. Normative References 980 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 981 Requirement Levels", RFC 2119, March 1997. 983 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 984 Rose, M., and S. Waldbusser, "Structure of Management 985 Information Version 2 (SMIv2)", STD 58, RFC 2578, 986 April 1999. 988 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 989 Rose, M., and S. Waldbusser, "Textual Conventions for 990 SMIv2", STD 58, RFC 2579, April 1999. 992 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 993 Rose, M., and S. Waldbusser, "Conformance Statements for 994 SMIv2", STD 58, RFC 2580, April 1999. 996 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 997 Architecture for Describing Simple Network Management 998 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 999 December 2002. 1001 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 1002 Aboba, "Dynamic Authorization Extensions to Remote 1003 Authentication Dial In User Service (RADIUS)", RFC 3576, 1004 July 2003. 1006 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 1007 Network Addresses", RFC 4001, February 2005. 1009 8.2. Informative References 1011 [DYNSERV] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 1012 Authorization Server MIB", 1013 draft-ietf-radext-dynauth-server-mib-05.txt, work in 1014 progress, December 2005. 1016 [RFC2619bis] 1017 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 1018 draft-ietf-radext-rfc2619bis-01.txt work in progress, 1019 October 2005. 1021 [RFC2621bis] 1022 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 1023 draft-ietf-radext-rfc2621bis-01.txt work in progress, 1024 October 2005. 1026 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1027 "Remote Authentication Dial In User Service (RADIUS)", 1028 RFC 2865, June 2000. 1030 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1031 "Introduction and Applicability Statements for Internet- 1032 Standard Management Framework", RFC 3410, December 2002. 1034 Authors' Addresses 1036 Stefaan De Cnodder 1037 Alcatel 1038 Francis Wellesplein 1 1039 B-2018 Antwerp 1040 Belgium 1042 Phone: +32 3 240 85 15 1043 Email: stefaan.de_cnodder@alcatel.be 1045 Nagi Reddy Jonnala 1046 Cisco Systems, Inc. 1047 Divyasree Chambers, B Wing, O'Shaugnessy Road 1048 Bangalore-560027, India 1050 Phone: +91 94487 60828 1051 Email: njonnala@cisco.com 1053 Murtaza Chiba 1054 Cisco Systems, Inc. 1055 170 West Tasman Dr. 1056 San Jose CA, 95134 1058 Phone: +1 408 525 7198 1059 Email: mchiba@cisco.com 1061 Intellectual Property Statement 1063 The IETF takes no position regarding the validity or scope of any 1064 Intellectual Property Rights or other rights that might be claimed to 1065 pertain to the implementation or use of the technology described in 1066 this document or the extent to which any license under such rights 1067 might or might not be available; nor does it represent that it has 1068 made any independent effort to identify any such rights. Information 1069 on the procedures with respect to rights in RFC documents can be 1070 found in BCP 78 and BCP 79. 1072 Copies of IPR disclosures made to the IETF Secretariat and any 1073 assurances of licenses to be made available, or the result of an 1074 attempt made to obtain a general license or permission for the use of 1075 such proprietary rights by implementers or users of this 1076 specification can be obtained from the IETF on-line IPR repository at 1077 http://www.ietf.org/ipr. 1079 The IETF invites any interested party to bring to its attention any 1080 copyrights, patents or patent applications, or other proprietary 1081 rights that may cover technology that may be required to implement 1082 this standard. Please address the information to the IETF at 1083 ietf-ipr@ietf.org. 1085 Disclaimer of Validity 1087 This document and the information contained herein are provided on an 1088 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1089 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1090 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1091 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1092 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1093 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1095 Copyright Statement 1097 Copyright (C) The Internet Society (2006). This document is subject 1098 to the rights, licenses and restrictions contained in BCP 78, and 1099 except as set forth therein, the authors retain all their rights. 1101 Acknowledgment 1103 Funding for the RFC Editor function is currently provided by the 1104 Internet Society.