idnits 2.17.1 draft-ietf-ips-auth-mib-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 1459 has weird spacing: '...for the purpo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 2002) is 7826 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2012' is defined on line 1397, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2571 (Obsoleted by RFC 3411) ** Downref: Normative reference to an Informational RFC: RFC 1215 ** Downref: Normative reference to an Historic RFC: RFC 1157 ** Obsolete normative reference: RFC 3291 (Obsoleted by RFC 4001) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA-AF' ** Obsolete normative reference: RFC 2011 (Obsoleted by RFC 4293) ** Obsolete normative reference: RFC 2465 (Obsoleted by RFC 4293, RFC 8096) -- Obsolete informational reference (is this intentional?): RFC 1906 (Obsoleted by RFC 3417) -- Obsolete informational reference (is this intentional?): RFC 2572 (Obsoleted by RFC 3412) -- Obsolete informational reference (is this intentional?): RFC 2574 (Obsoleted by RFC 3414) -- Obsolete informational reference (is this intentional?): RFC 1905 (Obsoleted by RFC 3416) -- Obsolete informational reference (is this intentional?): RFC 2573 (Obsoleted by RFC 3413) -- Obsolete informational reference (is this intentional?): RFC 2575 (Obsoleted by RFC 3415) -- Obsolete informational reference (is this intentional?): RFC 2570 (Obsoleted by RFC 3410) -- Obsolete informational reference (is this intentional?): RFC 2012 (Obsoleted by RFC 4022) -- No information found for draft-ietf-ips-iSCSI - is the name correct? -- Obsolete informational reference (is this intentional?): RFC 1510 (Obsoleted by RFC 4120, RFC 6649) == Outdated reference: A later version (-06) exists of draft-ietf-ips-fcmgmt-mib-01 Summary: 9 errors (**), 0 flaws (~~), 5 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Mark Bakke 3 Jim Muchow 4 Expires May 2003 Cisco Systems 6 November 2002 8 Definitions of Managed Objects for User Identity Authentication 10 Status of this Memo 12 This document is an Internet-Draft and is in full conformance with 13 all provisions of Section 10 of RFC2026. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.html. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Copyright Notice 33 Copyright (C) The Internet Society (2001). All Rights Reserved. 35 Abstract 37 This memo defines a portion of the Management Information Base (MIB) 38 for use with network management protocols in TCP/IP based internets. 39 In particular it defines objects for managing user identities and the 40 names, addresses, and credentials required to authenticate them, for 41 use with various protocols. This draft was motivated by the need for 42 the configuration of authenticated user identities for the iSCSI 43 protocol, but has been extended to be useful for other protocols that 44 have similar requirements. It is important to note that this MIB 45 provides only the set of identities and the means to authenticate 46 them; it is the responsibility of other MIBs making use of this one 47 to tie them to authorization lists. 49 Acknowledgments 51 In addition to the authors, several people contributed to the 52 development of this MIB through discussions of authentication, 53 authorization, and access within the iSCSI MIB and security teams, 54 including John Hufferd, Marjorie Krueger, Keith McCloghrie, Tom 55 McSweeney, Steve Senum, and Josh Tseng. Thanks also to Bill 56 Studenmund (Wasabi Systems) for adding the Kerberos method. 58 Thanks especially to Keith McCloghrie for serving as advisor for this 59 MIB. 61 Table of Contents 63 1. The SNMP Management Framework.............................2 64 2. Relationship to Other MIBs................................4 65 3. Discussion................................................4 66 3.1. Authentication MIB Object Model.........................4 67 3.2. ipsAuthInstance.........................................5 68 3.3. ipsAuthIdentity.........................................6 69 3.4. ipsAuthIdentityName.....................................6 70 3.5. ipsAuthIdentityAddress..................................6 71 3.6. ipsAuthCredential.......................................7 72 3.7. IP, Fibre Channel, and Other Addresses..................8 73 3.8. Descriptors: Using OIDs in Place of Enumerated Types....8 74 3.9. Notifications...........................................8 75 4. MIB Definitions...........................................9 76 5. Security Considerations..................................27 77 6. Normative References.....................................28 78 7. Informative References...................................29 79 8. Authors' Addresses.......................................31 80 9. Full Copyright Notice....................................31 82 1. The SNMP Management Framework 84 The SNMP Management Framework presently consists of five major 85 components: 87 o An overall architecture, described in RFC 2571 [RFC2571]. 89 o Mechanisms for describing and naming objects and events for the 90 purpose of management. The first version of this Structure of 91 Management Information (SMI) is called SMIv1 and described in 92 STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC 93 1215 [RFC1215]. The second version, called SMIv2, is described 94 in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and 95 STD 58, RFC 2580 [RFC2580]. 97 o Message protocols for transferring management information. The 98 first version of the SNMP message protocol is called SNMPv1 and 99 described in STD 15, RFC 1157 [RFC1157]. A second version of 100 the SNMP message protocol, which is not an Internet standards 101 track protocol, is called SNMPv2c and described in RFC 1901 102 [RFC1901] and RFC 1906 [RFC1906]. The third version of the 103 message protocol is called SNMPv3 and described in RFC 1906 104 [RFC1906], RFC 2572 [RFC2572] and RFC 2574 [RFC2574]. 106 o Protocol operations for accessing management information. The 107 first set of protocol operations and associated PDU formats is 108 described in STD 15, RFC 1157 [RFC1157]. A second set of 109 protocol operations and associated PDU formats is described in 110 RFC 1905 [RFC1905]. 112 o A set of fundamental applications described in RFC 2573 113 [RFC2573] and the view-based access control mechanism described 114 in RFC 2575 [RFC2575]. 116 A more detailed introduction to the current SNMP Management Framework 117 can be found in RFC 2570 [RFC2570]. 119 Managed objects are accessed via a virtual information store, termed 120 the Management Information Base or MIB. Objects in the MIB are 121 defined using the mechanisms defined in the SMI. 123 This memo specifies a MIB module that is compliant to the SMIv2. A 124 MIB conforming to the SMIv1 can be produced through the appropriate 125 translations. The resulting translated MIB must be semantically 126 equivalent, except where objects or events are omitted because no 127 translation is possible (use of Counter64). Some machine readable 128 information in SMIv2 will be converted into textual descriptions in 129 SMIv1 during the translation process. However, this loss of machine 130 readable information is not considered to change the semantics of the 131 MIB. 133 This MIB will be used to configure and/or look at the configuration 134 of user identities and their authentication information. For the 135 purposes of this MIB, a "user" identity does not need to be an actual 136 person; a user can also be a host, an application, a cluster of 137 hosts, or any other identifiable entity that can be authenticated and 138 granted access to a resource. 140 Most objects in this MIB have a MAX-ACCESS of read-create; the MIB is 141 intended to allow configuration of user identities and their names, 142 addresses, and credentials. MIN-ACCESS for all objects is read-only 143 for those implementations that configure through other means, but 144 require the ability to monitor user identities. 146 2. Relationship to Other MIBs 148 The identity authentication MIB does not directly address objects 149 within other MIBs. The identity address objects contain IPv4, IPv6, 150 or other address types, and as such may be indirectly related to 151 objects within the IPv4 MIB [RFC1213] [RFC2011] or IPv6 [RFC2465] 152 MIB. 154 This MIB does not cover authorization. This should generally be done 155 in MIBs that reference identities in this one. It also does not 156 cover login or authentication failure statistics or notifications, as 157 these are all fairly application-specific, and not generic enough to 158 include here. 160 The user identity objects within this MIB are typically referenced 161 from other MIBs by a RowPointer within that MIB. A MIB containing 162 resources for which it requires a list of authorized user identities 163 may create such a list, with a single RowPointer within each list 164 element pointing to a user identity within this MIB. This is neither 165 required nor restricted by this MIB. 167 3. Discussion 169 This MIB structure is intended to allow the configuration of a list 170 of user identities, each with a list of names, addresses, 171 credentials, and certificates which when combined will authenticate 172 that identity. 174 The authentication MIB is structured around two primary "objects", 175 the authentication instance, and the identity, which serve as 176 containers for the remainder of the objects. This section contains a 177 brief description of the "object" hierarchy and a description of each 178 object, followed by a discussion of the actual SNMP table structure 179 within the objects. 181 3.1. Authentication MIB Object Model 183 The top-level object in this structure is the authentication 184 instance, which "contains" all of the other objects. The indexing 185 hierarchy of this MIB looks like: 187 ipsAuthInstance 188 -- A distinct authentication entity within the managed system. 189 -- Most implementations will have just one of these. 190 ipsAuthIdentity 191 -- A user identity, consisting of a set of identity names, 192 -- addresses, and credentials reflected in the following 193 -- objects, as well as a RowPointer to an ipsAuthCertificate. 194 ipsAuthIdentityName 195 -- A name for a user identity. A name should be globally 196 -- unique, and unchanging over time. Some protocols may 197 -- not require this one. 198 ipsAuthIdentityAddress 199 -- An address range, typically but not necessarily an 200 -- IPv4, IPv6, or Fibre Channel address range, at which 201 -- the identity is allowed to reside. 202 ipsAuthCredential 203 -- A single credential, such as a CHAP username/password, 204 -- which can ipsAuthenticate the identity. 205 ipsAuthCredChap 206 -- CHAP-specific attributes for an ipsAuthCredential 207 ipsAuthCredSrp 208 -- SRP-specific attributes 209 ipsAuthCredKerberos 210 -- Kerberos-specific attributes 212 Each identity contains the information necessary to authenticate a 213 particular end-point that wishes to access a service, such as iSCSI. 215 An identity can contain multiple names, addresses, and credentials. 217 3.2. ipsAuthInstance 219 The ipsAuthInstanceAttributesTable is the primary table of the 220 authentication MIB. Every other table entry in this MIB includes the 221 index of an ipsAuthInstanceAttributesEntry as its primary index. An 222 authentication instance is basically a managed set of identities. 224 Many implementations will include just one authentication instance 225 row in this table. However, there will be cases where multiple rows 226 in this table may be used: 228 - A large system may be "partitioned" into multiple, distinct virtual 229 systems, perhaps sharing the SNMP agent but not their lists of 230 identities. Each virtual system would have its own authentication 231 instance. 233 - A set of stackable systems, each with their own set of identities, 234 may be managed by a common SNMP agent. Each individual system 235 would have its own authentication instance. 237 - Multiple protocols, each with their own set of identities, may 238 exist within a single system and be managed by a single SNMP agent. 239 In this case, each protocol may have its own authentication 240 instance. 242 3.3. ipsAuthIdentity 244 The ipsAuthIdentAttributesTable contains one entry for each 245 configured user identity. The identity contains only a description 246 of what the identity is used for; its attributes are all contained in 247 other tables, since they can have multiple values. 249 Other MIBs containing lists of users authorized to access a 250 particular resource should generally contain a RowPointer to the 251 ipsAuthIdentAttributesEntry which will, if authenticated, be allowed 252 access. 254 All other table entries make use of the indices to this table as 255 their primary indices. 257 3.4. ipsAuthIdentityName 259 The ipsAuthIdentNameAttributesTable contains a list of UTF-8 names, 260 each of which belong to, and may be used to identify, a particular 261 identity in the authIdentity table. 263 Implementations making use of the authentication MIB may identify 264 their resources by names, addresses, or both. A name is typically a 265 unique (within the required scope), unchanging identifier for a 266 resource. It will normally meet some or all of the requirements for a 267 Uniform Resource Name [RFC1737], although a name in the context of 268 this MIB does not need to be a URN. Identifiers that typically 269 change over time should generally be placed into the 270 ipsAuthIdentityAddress table; names that have no uniqueness 271 properties should usually be placed into the description attribute 272 for the identity. 274 An example of an identity name is the iSCSI Name, defined in [ISCSI]. 276 If this table contains no entries associated with a particular user 277 identity, the implementation does not need to check any name 278 parameters when authenticating that identity. If the table contains 279 multiple entries associated with a particular user identity, the 280 implementation should consider a match with any one of these entries 281 to be valid. 283 3.5. ipsAuthIdentityAddress 285 The ipsAuthIdentAddrAttributesTable contains a list of addresses at 286 which the identity may be authenticated. For example, an identity 287 may be allowed access to a resource only from a certain IP address, 288 or only if its address is in a certain range or set of ranges. 290 Each entry contains a starting and ending address. If a single 291 address is desired in the list, both starting and ending addresses 292 must be identical. 294 Each entry contains an AddrType attribute. This attribute contains 295 an enumeration registered as an IANA Address Family type [IANA-AF]. 296 Although many implementations will use IPv4 or IPv6 address types for 297 these entries, any IANA-registered type may be used, as long as it 298 makes sense to the application. 300 Matching any address within any range within the list associated with 301 a particular identity is considered to be a valid match. If no 302 entries are present in this list for a given identity, its address is 303 not checked during authentication. 305 Netmasks are not supported, since an address range can express the 306 same thing with more flexibility. An application specifying 307 addresses using network masks may do so, and convert to and from 308 address ranges when reading or writing this MIB. 310 3.6. ipsAuthCredential 312 The ipsAuthCredentialAttributesTable contains a list of credentials, 313 each of which may authenticate a particular identity. 315 Each credential contains an authentication method to be used, such as 316 CHAP [RFC1994], SRP [RFC2945], or Kerberos [RFC1510]. This attribute 317 contains an object identifier instead of an enumerated type, allowing 318 other MIBs to add their own authentication methods, without modifying 319 this MIB. 321 For each entry in this table, there will exist an entry in another 322 table containing its attributes. The table in which to place the 323 entry depends on the AuthMethod attribute: 325 CHAP If the AuthMethod is set to the CHAP OID, an entry using the 326 same indices as the ipsAuthCredential will exist in the 327 ipsAuthCredChap table, which contains the CHAP username. 329 SRP If the AuthMethod is set to the SRP OID, an entry using the 330 same indices as the ipsAuthCredential will exist in the 331 ipsAuthCredSrp table, which contains the SRP username. 333 Kerberos If the AuthMethod is set to the Kerberos OID, an entry using 334 the same indices as the ipsAuthCredential will exist in the 335 ipsAuthCredKerberos table, which contains the Kerberos 336 principal. 338 Other If the AuthMethod is set to any OID not defined in this MIB, 339 an entry using the same indices as the ipsAuthCredential 340 entry should be placed in the other MIB that define whatever 341 attributes are needed for that type of credential. 343 3.7. IP, Fibre Channel, and Other Addresses 345 The IP addresses in this MIB are represented by two attributes, one 346 of type AddressFamilyNumbers, and the other of type AuthAddress. 347 Each address can take on any of the types within the list of address 348 family numbers; the most likely being IPv4, IPv6, or one of the Fibre 349 Channel address types. 351 The type AuthAddress is an octet string. If the address family is 352 IPv4 or IPv6, the format is taken from the InetAddress specified in 353 [RFC3291]. If the address family is one of the Fibre Channel types, 354 the format is identical to the FcNameIdOrZero type defined in 355 [FCMGMT]. 357 3.8. Descriptors: Using OIDs in Place of Enumerated Types 359 Some attributes, particularly the authentication method attribute, 360 would normally require an enumerated type. However, implementations 361 will likely need to add new authentication method types of their own, 362 without extending this MIB. To make this work, the MIB defines a set 363 of object identities within ipsAuthDescriptors. Each of these object 364 identities is basically an enumerated type. 366 Attributes that make use of these object identities have a value 367 which is an OID instead of an enumerated type. These OIDs can either 368 indicate the object identities defined in this MIB, or object 369 identities defined elsewhere, such as in an enterprise MIB. Those 370 implementations that add their own authentication methods should also 371 define a corresponding object identity for each of these methods 372 within their own enterprise MIB, and return its OID whenever one of 373 these attributes is using that method. 375 3.9. Notifications 377 Monitoring of authentication failures and other notification events 378 are outside the scope of this MIB, as they are generally application- 379 specific. No notifications are provided or required. 381 4. MIB Definitions 383 IPS-AUTH-MIB DEFINITIONS ::= BEGIN 385 IMPORTS 386 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, Unsigned32, 387 experimental 388 FROM SNMPv2-SMI 390 TEXTUAL-CONVENTION, RowStatus, AutonomousType 391 FROM SNMPv2-TC 393 MODULE-COMPLIANCE, OBJECT-GROUP 394 FROM SNMPv2-CONF 396 SnmpAdminString 397 FROM SNMP-FRAMEWORK-MIB -- RFC 2571 399 AddressFamilyNumbers 400 FROM IANA-ADDRESS-FAMILY-NUMBERS-MIB 401 ; 403 ipsAuthModule MODULE-IDENTITY 404 LAST-UPDATED "200211010000Z" -- November 1, 2002 405 ORGANIZATION "IETF IPS Working Group" 406 CONTACT-INFO 407 " 408 Mark Bakke 409 Postal: Cisco Systems, Inc 410 6450 Wedgwood Road, Suite 130 411 Maple Grove, MN 412 USA 55311 414 Tel: +1 763-398-1000 415 Fax: +1 763-398-1001 417 E-mail: mbakke@cisco.com 419 Jim Muchow 420 Postal: Cisco Systems, Inc 421 6450 Wedgwood Road, Suite 130 422 Maple Grove, MN 423 USA 55311 425 Tel: +1 763-398-1000 426 Fax: +1 763-398-1001 427 E-mail: jmuchow@cisco.com" 429 DESCRIPTION 430 "The IP Storage Authentication MIB module." 431 REVISION "200211010000Z" -- November 1, 2002 432 DESCRIPTION 433 "Initial revision published as RFC xxxx." 435 --::= { mib-2 xx } 436 -- in case you want to COMPILE 437 ::= { experimental 99999 } 439 ipsAuthObjects OBJECT IDENTIFIER ::= { ipsAuthModule 1 } 440 ipsAuthNotifications OBJECT IDENTIFIER ::= { ipsAuthModule 2 } 441 ipsAuthConformance OBJECT IDENTIFIER ::= { ipsAuthModule 3 } 443 -- Textual Conventions 445 IpsAuthAddress ::= TEXTUAL-CONVENTION 446 STATUS current 447 DESCRIPTION 448 "IP Storage requires the use of address information 449 that uses not only the InetAddress type defined in the 450 INET-ADDRESS-MIB, but also Fibre Channel type defined 451 in the Fibre Channel Management MIB. Although these 452 address types are recognized in the IANA Address Family 453 Numbers MIB, the addressing mechanisms have not been 454 merged into a well-known, common type. This data type, 455 the IpsAuthAddress, performs this function for this MIB." 456 REFERENCE 457 "IANA-ADDRESS-FAMILY-NUMBERS-MIB; 458 INET-ADDRESS-MIB (RFC 2851); 459 Fibre Channel Management MIB (presently defined in 460 draft-ietf-ips-fcmgmt-mib-01.txt)." 461 SYNTAX OCTET STRING (SIZE(0..255)) 463 ------------------------------------------------------------------------ 465 ipsAuthDescriptors OBJECT IDENTIFIER ::= { ipsAuthObjects 1 } 467 ipsAuthMethodTypes OBJECT IDENTIFIER ::= { ipsAuthDescriptors 1 } 469 ipsAuthMethodNone OBJECT-IDENTITY 470 STATUS current 471 DESCRIPTION 472 "The authoritative identifier when no authentication 473 method is used." 474 REFERENCE "iSCSI Protocol Specification." 476 ::= { ipsAuthMethodTypes 1 } 478 ipsAuthMethodSrp OBJECT-IDENTITY 479 STATUS current 480 DESCRIPTION 481 "The authoritative identifier when the authentication 482 method is SRP." 483 REFERENCE "iSCSI Protocol Specification." 484 ::= { ipsAuthMethodTypes 2 } 486 ipsAuthMethodChap OBJECT-IDENTITY 487 STATUS current 488 DESCRIPTION 489 "The authoritative identifier when the authentication 490 method is CHAP." 491 REFERENCE "iSCSI Protocol Specification." 492 ::= { ipsAuthMethodTypes 3 } 494 ipsAuthMethodKerberos OBJECT-IDENTITY 495 STATUS current 496 DESCRIPTION 497 "The authoritative identifier when the authentication 498 method is Kerberos." 499 REFERENCE "iSCSI Protocol Specification." 500 ::= { ipsAuthMethodTypes 4 } 502 ---------------------------------------------------------------------- 504 ipsAuthInstance OBJECT IDENTIFIER ::= { ipsAuthObjects 2 } 506 -- Instance Attributes Table 508 ipsAuthInstanceAttributesTable OBJECT-TYPE 509 SYNTAX SEQUENCE OF IpsAuthInstanceAttributesEntry 510 MAX-ACCESS not-accessible 511 STATUS current 512 DESCRIPTION 513 "A list of Authentication instances present on the system." 514 ::= { ipsAuthInstance 2 } 516 ipsAuthInstanceAttributesEntry OBJECT-TYPE 517 SYNTAX IpsAuthInstanceAttributesEntry 518 MAX-ACCESS not-accessible 519 STATUS current 520 DESCRIPTION 521 "An entry (row) containing management information 522 applicable to a particular Authentication instance." 523 INDEX { ipsAuthInstIndex } 525 ::= { ipsAuthInstanceAttributesTable 1 } 527 IpsAuthInstanceAttributesEntry ::= SEQUENCE { 528 ipsAuthInstIndex Unsigned32, 529 ipsAuthInstDescr SnmpAdminString 530 } 532 ipsAuthInstIndex OBJECT-TYPE 533 SYNTAX Unsigned32 (1..4294967295) 534 MAX-ACCESS not-accessible 535 STATUS current 536 DESCRIPTION 537 "An arbitrary integer used to uniquely identify a 538 particular authentication instance." 539 ::= { ipsAuthInstanceAttributesEntry 1 } 541 ipsAuthInstDescr OBJECT-TYPE 542 SYNTAX SnmpAdminString 543 MAX-ACCESS read-write 544 STATUS current 545 DESCRIPTION 546 "An octet string, determined by the implementation to 547 describe the authentication instance. When only a single 548 instance is present, this object may be set to the 549 zero-length string; with multiple authentication 550 instances, it may be used in an implementation-dependent 551 manner to describe the purpose of the respective instance." 552 ::= { ipsAuthInstanceAttributesEntry 2 } 554 ipsAuthIdentity OBJECT IDENTIFIER ::= { ipsAuthObjects 3 } 556 -- User Identity Attributes Table 558 ipsAuthIdentAttributesTable OBJECT-TYPE 559 SYNTAX SEQUENCE OF IpsAuthIdentAttributesEntry 560 MAX-ACCESS not-accessible 561 STATUS current 562 DESCRIPTION 563 "A list of user identities, each belonging to a 564 particular ipsAuthInstance." 565 ::= { ipsAuthIdentity 1 } 567 ipsAuthIdentAttributesEntry OBJECT-TYPE 568 SYNTAX IpsAuthIdentAttributesEntry 569 MAX-ACCESS not-accessible 570 STATUS current 571 DESCRIPTION 572 "An entry (row) containing management information 573 describing a user identity within an authentication 574 instance on this node." 575 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex } 576 ::= { ipsAuthIdentAttributesTable 1 } 578 IpsAuthIdentAttributesEntry ::= SEQUENCE { 579 ipsAuthIdentIndex Unsigned32, 580 ipsAuthIdentDescription SnmpAdminString, 581 ipsAuthIdentRowStatus RowStatus 582 } 584 ipsAuthIdentIndex OBJECT-TYPE 585 SYNTAX Unsigned32 (1..4294967295) 586 MAX-ACCESS not-accessible 587 STATUS current 588 DESCRIPTION 589 "An arbitrary integer used to uniquely identify a 590 particular identity instance within an authentication 591 instance present on the node." 592 ::= { ipsAuthIdentAttributesEntry 1 } 594 ipsAuthIdentDescription OBJECT-TYPE 595 SYNTAX SnmpAdminString 596 MAX-ACCESS read-create 597 STATUS current 598 DESCRIPTION 599 "An octet string describing this particular identity." 600 ::= { ipsAuthIdentAttributesEntry 2 } 602 ipsAuthIdentRowStatus OBJECT-TYPE 603 SYNTAX RowStatus 604 MAX-ACCESS read-create 605 STATUS current 606 DESCRIPTION 607 "This field allows entries to be dynamically added and 608 removed from this table via SNMP." 609 ::= { ipsAuthIdentAttributesEntry 3 } 611 ipsAuthIdentityName OBJECT IDENTIFIER ::= { ipsAuthObjects 4 } 613 -- User Initiator Name Attributes Table 615 ipsAuthIdentNameAttributesTable OBJECT-TYPE 616 SYNTAX SEQUENCE OF IpsAuthIdentNameAttributesEntry 617 MAX-ACCESS not-accessible 618 STATUS current 619 DESCRIPTION 620 "A list of unique names that can be used to positively 621 identify a particular user identity." 622 ::= { ipsAuthIdentityName 1 } 624 ipsAuthIdentNameAttributesEntry OBJECT-TYPE 625 SYNTAX IpsAuthIdentNameAttributesEntry 626 MAX-ACCESS not-accessible 627 STATUS current 628 DESCRIPTION 629 "An entry (row) containing management information 630 applicable to a unique identity name which can be used 631 to identify a user identity within a particular 632 authentication instance." 633 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 634 ipsAuthIdentNameIndex } 635 ::= { ipsAuthIdentNameAttributesTable 1 } 637 IpsAuthIdentNameAttributesEntry ::= SEQUENCE { 638 ipsAuthIdentNameIndex Unsigned32, 639 ipsAuthIdentName SnmpAdminString, 640 ipsAuthIdentNameRowStatus RowStatus 641 } 643 ipsAuthIdentNameIndex OBJECT-TYPE 644 SYNTAX Unsigned32 (1..4294967295) 645 MAX-ACCESS not-accessible 646 STATUS current 647 DESCRIPTION 648 "An arbitrary integer used to uniquely identify a 649 particular identity name instance within an 650 ipsAuthIdentity within an authentication instance." 651 ::= { ipsAuthIdentNameAttributesEntry 1 } 653 ipsAuthIdentName OBJECT-TYPE 654 SYNTAX SnmpAdminString 655 MAX-ACCESS read-create 656 STATUS current 657 DESCRIPTION 658 "A character string which is the unique name of an 659 identity that may be used to identify this ipsAuthIdent 660 entry." 661 ::= { ipsAuthIdentNameAttributesEntry 2 } 663 ipsAuthIdentNameRowStatus OBJECT-TYPE 664 SYNTAX RowStatus 665 MAX-ACCESS read-create 666 STATUS current 667 DESCRIPTION 668 "This field allows entries to be dynamically added and 669 removed from this table via SNMP." 670 ::= { ipsAuthIdentNameAttributesEntry 3 } 672 ipsAuthIdentityAddress OBJECT IDENTIFIER ::= { ipsAuthObjects 5 } 674 -- User Initiator Address Attributes Table 676 ipsAuthIdentAddrAttributesTable OBJECT-TYPE 677 SYNTAX SEQUENCE OF IpsAuthIdentAddrAttributesEntry 678 MAX-ACCESS not-accessible 679 STATUS current 680 DESCRIPTION 681 "A list of address ranges that are allowed to serve 682 as the endpoint addresses of a particular identity. 683 An address range includes a starting and ending address 684 and an optional netmask, and an address type indicator, 685 which can specify whether the address is IPv4, IPv6, 686 FC-WWPN, or FC-WWNN." 687 ::= { ipsAuthIdentityAddress 1 } 689 ipsAuthIdentAddrAttributesEntry OBJECT-TYPE 690 SYNTAX IpsAuthIdentAddrAttributesEntry 691 MAX-ACCESS not-accessible 692 STATUS current 693 DESCRIPTION 694 "An entry (row) containing management information 695 applicable to an address range which is used as part 696 of the authentication of an identity 697 within an authentication instance on this node." 698 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, 699 ipsAuthIdentAddrIndex } 700 ::= { ipsAuthIdentAddrAttributesTable 1 } 702 IpsAuthIdentAddrAttributesEntry ::= SEQUENCE { 703 ipsAuthIdentAddrIndex Unsigned32, 704 ipsAuthIdentAddrType AddressFamilyNumbers, 705 ipsAuthIdentAddrStart IpsAuthAddress, 706 ipsAuthIdentAddrEnd IpsAuthAddress, 707 ipsAuthIdentAddrRowStatus RowStatus 708 } 710 ipsAuthIdentAddrIndex OBJECT-TYPE 711 SYNTAX Unsigned32 (1..4294967295) 712 MAX-ACCESS not-accessible 713 STATUS current 714 DESCRIPTION 715 "An arbitrary integer used to uniquely identify a 716 particular ipsAuthIdentAddress instance within an 717 ipsAuthIdentity within an authentication instance 718 present on the node." 719 ::= { ipsAuthIdentAddrAttributesEntry 1 } 721 ipsAuthIdentAddrType OBJECT-TYPE 722 SYNTAX AddressFamilyNumbers 723 MAX-ACCESS read-create 724 STATUS current 725 DESCRIPTION 726 "The type of Address in the ipsAuthIdentAddress 727 start, end, and mask fields. This type is taken 728 from the IANA address family types; more types may 729 be registered independently of this MIB." 730 ::= { ipsAuthIdentAddrAttributesEntry 2 } 732 ipsAuthIdentAddrStart OBJECT-TYPE 733 SYNTAX IpsAuthAddress 734 MAX-ACCESS read-create 735 STATUS current 736 DESCRIPTION 737 "The starting address of the allowed address range." 738 ::= { ipsAuthIdentAddrAttributesEntry 3 } 740 ipsAuthIdentAddrEnd OBJECT-TYPE 741 SYNTAX IpsAuthAddress 742 MAX-ACCESS read-create 743 STATUS current 744 DESCRIPTION 745 "The ending address of the allowed address range. 746 If the ipsAuthIdentAddrEntry specifies a single 747 address, this shall match the ipsAuthIdentAddrStart." 748 ::= { ipsAuthIdentAddrAttributesEntry 4 } 750 ipsAuthIdentAddrRowStatus OBJECT-TYPE 751 SYNTAX RowStatus 752 MAX-ACCESS read-create 753 STATUS current 754 DESCRIPTION 755 "This field allows entries to be dynamically added and 756 removed from this table via SNMP." 757 ::= { ipsAuthIdentAddrAttributesEntry 5 } 759 ipsAuthCredential OBJECT IDENTIFIER ::= { ipsAuthObjects 6 } 761 -- Credential Attributes Table 763 ipsAuthCredentialAttributesTable OBJECT-TYPE 764 SYNTAX SEQUENCE OF IpsAuthCredentialAttributesEntry 765 MAX-ACCESS not-accessible 766 STATUS current 767 DESCRIPTION 768 "A list of credentials related to user identities 769 that are allowed as valid authenticators of the 770 particular identity." 771 ::= { ipsAuthCredential 1 } 773 ipsAuthCredentialAttributesEntry OBJECT-TYPE 774 SYNTAX IpsAuthCredentialAttributesEntry 775 MAX-ACCESS not-accessible 776 STATUS current 777 DESCRIPTION 778 "An entry (row) containing management information 779 applicable to a credential which authenticates a user 780 identity within an authentication instance." 781 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 782 ::= { ipsAuthCredentialAttributesTable 1 } 784 IpsAuthCredentialAttributesEntry ::= SEQUENCE { 785 ipsAuthCredIndex Unsigned32, 786 ipsAuthCredAuthMethod AutonomousType, 787 ipsAuthCredRowStatus RowStatus 788 } 790 ipsAuthCredIndex OBJECT-TYPE 791 SYNTAX Unsigned32 (1..4294967295) 792 MAX-ACCESS not-accessible 793 STATUS current 794 DESCRIPTION 795 "An arbitrary integer used to uniquely identify a 796 particular Credential instance within an instance 797 present on the node." 798 ::= { ipsAuthCredentialAttributesEntry 1 } 800 ipsAuthCredAuthMethod OBJECT-TYPE 801 SYNTAX AutonomousType 802 MAX-ACCESS read-create 803 STATUS current 804 DESCRIPTION 805 "This object contains an OBJECT IDENTIFIER 806 which identifies the authentication method 807 used with this credential. 809 Some standardized values for this object are defined 810 within the ipsAuthMethods subtree." 811 ::= { ipsAuthCredentialAttributesEntry 2 } 812 ipsAuthCredRowStatus OBJECT-TYPE 813 SYNTAX RowStatus 814 MAX-ACCESS read-create 815 STATUS current 816 DESCRIPTION 817 "This field allows entries to be dynamically added and 818 removed from this table via SNMP." 819 ::= { ipsAuthCredentialAttributesEntry 3 } 821 ipsAuthCredChap OBJECT IDENTIFIER ::= { ipsAuthObjects 7 } 823 -- Credential Chap-Specific Attributes Table 825 ipsAuthCredChapAttributesTable OBJECT-TYPE 826 SYNTAX SEQUENCE OF IpsAuthCredChapAttributesEntry 827 MAX-ACCESS not-accessible 828 STATUS current 829 DESCRIPTION 830 "A list of CHAP attributes for credentials that 831 use ipsAuthMethodChap as its ipsAuthCredAuthMethod." 832 ::= { ipsAuthCredChap 1 } 834 ipsAuthCredChapAttributesEntry OBJECT-TYPE 835 SYNTAX IpsAuthCredChapAttributesEntry 836 MAX-ACCESS not-accessible 837 STATUS current 838 DESCRIPTION 839 "An entry (row) containing management information 840 applicable to a credential which uses 841 ipsAuthMethodChap as their ipsAuthCredAuthMethod." 842 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 843 ::= { ipsAuthCredChapAttributesTable 1 } 845 IpsAuthCredChapAttributesEntry ::= SEQUENCE { 846 ipsAuthCredChapUserName SnmpAdminString, 847 ipsAuthCredChapPassword SnmpAdminString, 848 ipsAuthCredChapRowStatus RowStatus 849 } 851 ipsAuthCredChapUserName OBJECT-TYPE 852 SYNTAX SnmpAdminString 853 MAX-ACCESS read-create 854 STATUS current 855 DESCRIPTION 856 "An octet string containing the CHAP user name for this 857 credential." 858 ::= { ipsAuthCredChapAttributesEntry 1 } 859 ipsAuthCredChapPassword OBJECT-TYPE 860 SYNTAX SnmpAdminString 861 MAX-ACCESS read-create 862 STATUS current 863 DESCRIPTION 864 "An octet string containing the password for this 865 credential. If written, it changes the password for 866 the credential. If read, it returns a zero-length 867 string." 868 ::= { ipsAuthCredChapAttributesEntry 2 } 870 ipsAuthCredChapRowStatus OBJECT-TYPE 871 SYNTAX RowStatus 872 MAX-ACCESS read-create 873 STATUS current 874 DESCRIPTION 875 "This field allows entries to be dynamically added and 876 removed from this table via SNMP." 877 ::= { ipsAuthCredChapAttributesEntry 3 } 879 ipsAuthCredSrp OBJECT IDENTIFIER ::= { ipsAuthObjects 8 } 881 -- Credential Srp-Specific Attributes Table 883 ipsAuthCredSrpAttributesTable OBJECT-TYPE 884 SYNTAX SEQUENCE OF IpsAuthCredSrpAttributesEntry 885 MAX-ACCESS not-accessible 886 STATUS current 887 DESCRIPTION 888 "A list of SRP attributes for credentials that 889 use ipsAuthMethodSrp as their ipsAuthCredAuthMethod." 890 ::= { ipsAuthCredSrp 1 } 892 ipsAuthCredSrpAttributesEntry OBJECT-TYPE 893 SYNTAX IpsAuthCredSrpAttributesEntry 894 MAX-ACCESS not-accessible 895 STATUS current 896 DESCRIPTION 897 "An entry (row) containing management information 898 applicable to a credential which uses 899 ipsAuthMethodSrp as its ipsAuthCredAuthMethod." 900 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 901 ::= { ipsAuthCredSrpAttributesTable 1 } 903 IpsAuthCredSrpAttributesEntry ::= SEQUENCE { 904 ipsAuthCredSrpUserName SnmpAdminString, 905 ipsAuthCredSrpPassword SnmpAdminString, 906 ipsAuthCredSrpRowStatus RowStatus 907 } 909 ipsAuthCredSrpUserName OBJECT-TYPE 910 SYNTAX SnmpAdminString 911 MAX-ACCESS read-create 912 STATUS current 913 DESCRIPTION 914 "An octet string containing the CHAP user name for this 915 credential." 916 ::= { ipsAuthCredSrpAttributesEntry 1 } 918 ipsAuthCredSrpPassword OBJECT-TYPE 919 SYNTAX SnmpAdminString 920 MAX-ACCESS read-create 921 STATUS current 922 DESCRIPTION 923 "An octet string containing the password for this 924 credential. If written, it changes the password for 925 the credential. If read, it returns a zero-length 926 string." 927 ::= { ipsAuthCredSrpAttributesEntry 2 } 929 ipsAuthCredSrpRowStatus OBJECT-TYPE 930 SYNTAX RowStatus 931 MAX-ACCESS read-create 932 STATUS current 933 DESCRIPTION 934 "This field allows entries to be dynamically added and 935 removed from this table via SNMP." 936 ::= { ipsAuthCredSrpAttributesEntry 3 } 938 ipsAuthCredKerberos OBJECT IDENTIFIER ::= { ipsAuthObjects 9 } 940 -- Credential Kerberos-Specific Attributes Table 942 ipsAuthCredKerbAttributesTable OBJECT-TYPE 943 SYNTAX SEQUENCE OF IpsAuthCredKerbAttributesEntry 944 MAX-ACCESS not-accessible 945 STATUS current 946 DESCRIPTION 947 "A list of Kerberos attributes for credentials that 948 use ipsAuthMethodKerberos as their ipsAuthCredAuthMethod." 949 ::= { ipsAuthCredKerberos 1 } 951 ipsAuthCredKerbAttributesEntry OBJECT-TYPE 952 SYNTAX IpsAuthCredKerbAttributesEntry 953 MAX-ACCESS not-accessible 954 STATUS current 955 DESCRIPTION 956 "An entry (row) containing management information 957 applicable to a credential which uses 958 ipsAuthMethodKerberos as its ipsAuthCredAuthMethod." 959 INDEX { ipsAuthInstIndex, ipsAuthIdentIndex, ipsAuthCredIndex } 960 ::= { ipsAuthCredKerbAttributesTable 1 } 962 IpsAuthCredKerbAttributesEntry ::= SEQUENCE { 963 ipsAuthCredKerbPrincipal SnmpAdminString, 964 ipsAuthCredKerbRowStatus RowStatus 965 } 967 ipsAuthCredKerbPrincipal OBJECT-TYPE 968 SYNTAX SnmpAdminString 969 MAX-ACCESS read-create 970 STATUS current 971 DESCRIPTION 972 "An octet string containing a Kerberos principal 973 for this credential." 974 ::= { ipsAuthCredKerbAttributesEntry 1 } 976 ipsAuthCredKerbRowStatus OBJECT-TYPE 977 SYNTAX RowStatus 978 MAX-ACCESS read-create 979 STATUS current 980 DESCRIPTION 981 "This field allows entries to be dynamically added and 982 removed from this table via SNMP." 983 ::= { ipsAuthCredKerbAttributesEntry 2 } 985 ------------------------------------------------------------------------ 986 -- Notifications 988 -- There are no notifications necessary in this MIB. 990 ------------------------------------------------------------------------ 992 -- Conformance Statements 994 ipsAuthGroups OBJECT IDENTIFIER ::= { ipsAuthConformance 1 } 996 ipsAuthInstanceAttributesGroup OBJECT-GROUP 997 OBJECTS { 998 ipsAuthInstDescr 999 } 1000 STATUS current 1001 DESCRIPTION 1002 "A collection of objects providing information about 1003 authentication instances." 1004 ::= { ipsAuthGroups 1 } 1006 ipsAuthIdentAttributesGroup OBJECT-GROUP 1007 OBJECTS { 1008 ipsAuthIdentDescription, 1009 ipsAuthIdentRowStatus 1010 } 1011 STATUS current 1012 DESCRIPTION 1013 "A collection of objects providing information about 1014 user identities within an authentication instance." 1015 ::= { ipsAuthGroups 2 } 1017 ipsAuthIdentNameAttributesGroup OBJECT-GROUP 1018 OBJECTS { 1019 ipsAuthIdentName, 1020 ipsAuthIdentNameRowStatus 1021 } 1022 STATUS current 1023 DESCRIPTION 1024 "A collection of objects providing information about 1025 user names within user identities within an authentication 1026 instance." 1027 ::= { ipsAuthGroups 3 } 1029 ipsAuthIdentAddrAttributesGroup OBJECT-GROUP 1030 OBJECTS { 1031 ipsAuthIdentAddrType, 1032 ipsAuthIdentAddrStart, 1033 ipsAuthIdentAddrEnd, 1034 ipsAuthIdentAddrRowStatus 1035 } 1036 STATUS current 1037 DESCRIPTION 1038 "A collection of objects providing information about 1039 address ranges within user identities within an 1040 authentication instance." 1041 ::= { ipsAuthGroups 4 } 1043 ipsAuthIdentCredAttributesGroup OBJECT-GROUP 1044 OBJECTS { 1045 ipsAuthCredAuthMethod, 1046 ipsAuthCredRowStatus 1047 } 1048 STATUS current 1049 DESCRIPTION 1050 "A collection of objects providing information about 1051 credentials within user identities within an authentication 1052 instance." 1053 ::= { ipsAuthGroups 5 } 1055 ipsAuthIdentChapAttrGroup OBJECT-GROUP 1056 OBJECTS { 1057 ipsAuthCredChapUserName, 1058 ipsAuthCredChapPassword, 1059 ipsAuthCredChapRowStatus 1060 } 1061 STATUS current 1062 DESCRIPTION 1063 "A collection of objects providing information about 1064 CHAP credentials within user identities within an 1065 authentication instance." 1066 ::= { ipsAuthGroups 6 } 1068 ipsAuthIdentSrpAttrGroup OBJECT-GROUP 1069 OBJECTS { 1070 ipsAuthCredSrpUserName, 1071 ipsAuthCredSrpPassword, 1072 ipsAuthCredSrpRowStatus 1073 } 1074 STATUS current 1075 DESCRIPTION 1076 "A collection of objects providing information about 1077 SRP credentials within user identities within an 1078 authentication instance." 1079 ::= { ipsAuthGroups 7 } 1081 ipsAuthIdentKerberosAttrGroup OBJECT-GROUP 1082 OBJECTS { 1083 ipsAuthCredKerbPrincipal, 1084 ipsAuthCredKerbRowStatus 1085 } 1086 STATUS current 1087 DESCRIPTION 1088 "A collection of objects providing information about 1089 Kerberos credentials within user identities within an 1090 authentication instance." 1091 ::= { ipsAuthGroups 8 } 1093 ------------------------------------------------------------------------ 1095 ipsAuthCompliances OBJECT IDENTIFIER ::= { ipsAuthConformance 2 } 1097 ipsAuthComplianceV1 MODULE-COMPLIANCE 1098 STATUS current 1099 DESCRIPTION 1100 "Initial version of compliance statement based on 1101 initial version of MIB. 1103 The Instance and Identity groups are mandatory; 1104 at least one of the other groups (Name, Address, 1105 Credential, Certificate) is also mandatory for 1106 any given implementation." 1107 MODULE -- this module 1108 MANDATORY-GROUPS { 1109 ipsAuthInstanceAttributesGroup, 1110 ipsAuthIdentAttributesGroup 1111 } 1113 -- Conditionally mandatory groups to be included with 1114 -- the mandatory groups when necessary. 1116 GROUP ipsAuthIdentNameAttributesGroup 1117 DESCRIPTION 1118 "This group is mandatory for all implementations 1119 that make use of unique identity names." 1121 GROUP ipsAuthIdentAddrAttributesGroup 1122 DESCRIPTION 1123 "This group is mandatory for all implementations 1124 that use addresses to help authenticate identities." 1126 GROUP ipsAuthIdentCredAttributesGroup 1127 DESCRIPTION 1128 "This group is mandatory for all implementations 1129 that use credentials to help authenticate identities." 1131 GROUP ipsAuthIdentChapAttrGroup 1132 DESCRIPTION 1133 "This group is mandatory for all implementations 1134 that use CHAP to help authenticate identities. 1136 The ipsAuthIdentCredAttributesGroup must be 1137 implemented if this group is implemented." 1139 GROUP ipsAuthIdentSrpAttrGroup 1140 DESCRIPTION 1141 "This group is mandatory for all implementations 1142 that use SRP to help authenticate identities. 1144 The ipsAuthIdentCredAttributesGroup must be 1145 implemented if this group is implemented." 1147 GROUP ipsAuthIdentKerberosAttrGroup 1148 DESCRIPTION 1149 "This group is mandatory for all implementations 1150 that use Kerberos to help authenticate identities. 1152 The ipsAuthIdentCredAttributesGroup must be 1153 implemented if this group is implemented." 1155 OBJECT ipsAuthInstDescr 1156 MIN-ACCESS read-only 1157 DESCRIPTION 1158 "Write access is not required." 1160 OBJECT ipsAuthIdentDescription 1161 MIN-ACCESS read-only 1162 DESCRIPTION 1163 "Write access is not required." 1165 OBJECT ipsAuthIdentRowStatus 1166 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1167 MIN-ACCESS read-only 1168 DESCRIPTION 1169 "Write access is not required, and only one of the 1170 six enumerated values for the RowStatus textual 1171 convention need be supported, specifically: 1172 active(1)." 1174 OBJECT ipsAuthIdentName 1175 MIN-ACCESS read-only 1176 DESCRIPTION 1177 "Write access is not required." 1179 OBJECT ipsAuthIdentNameRowStatus 1180 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1181 MIN-ACCESS read-only 1182 DESCRIPTION 1183 "Write access is not required, and only one of the 1184 six enumerated values for the RowStatus textual 1185 convention need be supported, specifically: 1186 active(1)." 1188 OBJECT ipsAuthIdentAddrType 1189 MIN-ACCESS read-only 1190 DESCRIPTION 1191 "Write access is not required." 1193 OBJECT ipsAuthIdentAddrStart 1194 MIN-ACCESS read-only 1195 DESCRIPTION 1196 "Write access is not required." 1198 OBJECT ipsAuthIdentAddrEnd 1199 MIN-ACCESS read-only 1200 DESCRIPTION 1201 "Write access is not required." 1203 OBJECT ipsAuthIdentAddrRowStatus 1204 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1205 MIN-ACCESS read-only 1206 DESCRIPTION 1207 "Write access is not required, and only one of the 1208 six enumerated values for the RowStatus textual 1209 convention need be supported, specifically: 1210 active(1)." 1212 OBJECT ipsAuthCredAuthMethod 1213 MIN-ACCESS read-only 1214 DESCRIPTION 1215 "Write access is not required." 1217 OBJECT ipsAuthCredRowStatus 1218 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1219 MIN-ACCESS read-only 1220 DESCRIPTION 1221 "Write access is not required, and only one of the 1222 six enumerated values for the RowStatus textual 1223 convention need be supported, specifically: 1224 active(1)." 1226 OBJECT ipsAuthCredChapUserName 1227 MIN-ACCESS read-only 1228 DESCRIPTION 1229 "Write access is not required." 1231 OBJECT ipsAuthCredChapPassword 1232 MIN-ACCESS read-only 1233 DESCRIPTION 1234 "Write access is not required." 1236 OBJECT ipsAuthCredChapRowStatus 1237 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1238 MIN-ACCESS read-only 1239 DESCRIPTION 1240 "Write access is not required, and only one of the 1241 six enumerated values for the RowStatus textual 1242 convention need be supported, specifically: 1244 active(1)." 1246 OBJECT ipsAuthCredSrpUserName 1247 MIN-ACCESS read-only 1248 DESCRIPTION 1249 "Write access is not required." 1251 OBJECT ipsAuthCredSrpPassword 1252 MIN-ACCESS read-only 1253 DESCRIPTION 1254 "Write access is not required." 1256 OBJECT ipsAuthCredSrpRowStatus 1257 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1258 MIN-ACCESS read-only 1259 DESCRIPTION 1260 "Write access is not required, and only one of the 1261 six enumerated values for the RowStatus textual 1262 convention need be supported, specifically: 1263 active(1)." 1265 OBJECT ipsAuthCredKerbPrincipal 1266 MIN-ACCESS read-only 1267 DESCRIPTION 1268 "Write access is not required." 1270 OBJECT ipsAuthCredKerbRowStatus 1271 SYNTAX INTEGER { active(1) } -- subset of RowStatus 1272 MIN-ACCESS read-only 1273 DESCRIPTION 1274 "Write access is not required, and only one of the 1275 six enumerated values for the RowStatus textual 1276 convention need be supported, specifically: 1277 active(1)." 1279 ::= { ipsAuthCompliances 1 } 1281 END 1283 5. Security Considerations 1285 SNMPv1 by itself is not a secure environment. Even if the network 1286 itself is secure (for example by using IPsec), even then, there is no 1287 control as to who on the secure network is allowed to access and 1288 GET/SET (read/change/create/delete) the objects in this MIB. 1290 It is recommended that the implementors consider the security 1291 features as provided by the SNMPv3 framework. Specifically, the use 1292 of the User-based Security Model RFC 2574 [RFC2574] and the View- 1293 based Access Control Model RFC 2575 [RFC2575] is recommended. 1295 It is then a customer/user responsibility to ensure that the SNMP 1296 entity giving access to an instance of this MIB, is properly 1297 configured to give access to the objects only to those principals 1298 (users) that have legitimate rights to indeed GET or SET 1299 (change/create/delete) them. 1301 Read access to this MIB provides the ability to find out which names, 1302 addresses, and credentials would be required to access services on 1303 the managed system. If these credentials are easily spoofed 1304 (particularly the name or address), read access to the MIB must be 1305 tightly controlled. 1307 Write access to the MIB provides the ability to set up which 1308 credentials may be used to access services on the managed system, to 1309 remove legitimate credentials (a denial of service), or to remove 1310 individual credentials to weaken the requirements for access of a 1311 particular service. In addition, write access may be used to change 1312 CHAP or SRP passwords to a known value. Write access must always be 1313 tightly controlled. 1315 6. Normative References 1317 [RFC2571] D. Harrington, R. Presuhn, and B. Wijnen, "An Architecture 1318 for Describing SNMP Management Frameworks", RFC 2571, April 1319 1999. 1321 [RFC1155] M. Rose and K. McCloghrie, "Structure and Identification of 1322 Management Information for TCP/IP-based Internets", STD 16, 1323 RFC 1155, May 1990. 1325 [RFC1212] M. Rose and K. McCloghrie, "Concise MIB Definitions", STD 1326 16, RFC 1212, March 1991. 1328 [RFC2578] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1329 Rose, and S. Waldbusser, "Structure of Management 1330 Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1331 1999. 1333 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the 1334 SNMP", RFC 1215, March 1991. 1336 [RFC2579] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1337 Rose, and S. Waldbusser, "Textual Conventions for SMIv2", 1338 STD 58, RFC 2579, April 1999. 1340 [RFC2580] K. McCloghrie, D. Perkins, J. Schoenwaelder, J. Case, M. 1341 Rose, and S. Waldbusser, "Conformance Statements for SMIv2", 1342 STD 58, RFC 2580, April 1999. 1344 [RFC1157] J. Case, M. Fedor, M. Schoffstall, and J. Davin, "Simple 1345 Network Management Protocol", STD 15, RFC 1157, May 1990. 1347 [RFC3291] M. Daniele, et. al., "Textual Conventions for Internet 1348 Network Addresses", RFC 3291, May 2002. 1350 [IANA-AF] IANA, "IANA Address Family Numbers MIB", 1351 http://www.iana.org/assignments/ianaaddressfamilynumbers-mib 1353 [RFC1213] K. McCloghrie, M. Rose, "Management Information Base for 1354 Network Management of TCP/IP-based internets:MIB-II", March 1355 1991. 1357 [RFC2011] K. McCloghrie, "SNMPv2 Management Information Base for the 1358 Internet Protocol using SMIv2", November 1996. 1360 [RFC2465] D. Haskin, S. Onishi, "Management Information Base for IP 1361 Version 6: Textual Conventions and General Group", December 1362 1998. 1364 7. Informative References 1366 [RFC1901] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, 1367 "Introduction to Community-based SNMPv2", RFC 1901, January 1368 1996. 1370 [RFC1906] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, 1371 "Transport Mappings for Version 2 of the Simple Network 1372 Management Protocol (SNMPv2)", RFC 1906, January 1996. 1374 [RFC2572] J. Case, D. Harrington, R. Presuhn, and B. Wijnen, "Message 1375 Processing and Dispatching for the Simple Network Management 1376 Protocol (SNMP)", RFC 2572, April 1999. 1378 [RFC2574] U. Blumenthal, and B. Wijnen, "User-based Security Model 1379 (USM) for version 3 of the Simple Network Management 1380 Protocol (SNMPv3)", RFC 2574, April 1999. 1382 [RFC1905] J. Case, K. McCloghrie, M. Rose, and S. Waldbusser, 1383 "Protocol Operations for Version 2 of the Simple Network 1384 Management Protocol (SNMPv2)", RFC 1905, January 1996. 1386 [RFC2573] D. Levi, P. Meyer, and B. Stewart, "SNMPv3 Applications", 1387 RFC 2573, April 1999. 1389 [RFC2575] B. Wijnen, R. Presuhn, and K. McCloghrie, "View-based Access 1390 Control Model (VACM) for the Simple Network Management 1391 Protocol (SNMP)", RFC 2575, April 1999. 1393 [RFC2570] J. Case, R. Mundy, D. Partain, and B. Stewart, "Introduction 1394 to Version 3 of the Internet-standard Network Management 1395 Framework", RFC 2570, April 1999. 1397 [RFC2012] K. McCloghrie, "SNMPv2 Management Information Base for the 1398 Transmission Control Protocol using SMIv2", RFC 2012, 1399 November 1996. 1401 [ISCSI] Satran, J., et. al., "iSCSI", draft-ietf-ips-iSCSI-17, 1402 September 2002. 1404 [RFC1737] K. Sollins, L. Masinter, "Functional Requirements for 1405 Uniform Resource Names", December 1994. 1407 [RFC1994] W. Simpson, "PPP Challenge Handshake Authentication Protocol 1408 (CHAP)", August 1996. 1410 [RFC1510] J. Kohl, C. Neuman, "The Kerberos Network Authentication 1411 Service (V5)", September 1993. 1413 [RFC2945] T. Wu, "The SRP Authentication and Key Exchange System", 1414 September 2000. 1416 [FCMGMT] K. McCloghrie, "Fibre Channel Management MIB", draft-ietf- 1417 ips-fcmgmt-mib-01, February 2002. 1419 [X.509] ITU-T Recommendation X.509 (1997 E), "Information Technology 1420 - Open Systems Interconnection - The Directory: 1421 Authentication Framework", June 1997. 1423 8. Authors' Addresses 1425 Mark Bakke 1426 Postal: Cisco Systems, Inc 1427 6450 Wedgwood Road, Suite 130 1428 Maple Grove, MN 1429 USA 55311 1431 Tel: +1 763-398-1000 1432 Fax: +1 763-398-1001 1434 E-mail: mbakke@cisco.com 1436 Jim Muchow 1437 Postal: Cisco Systems, Inc 1438 6450 Wedgwood Road, Suite 130 1439 Maple Grove, MN 1440 USA 55311 1442 Tel: +1 763-398-1000 1443 Fax: +1 763-398-1001 1445 E-mail: jmuchow@cisco.com" 1447 9. Full Copyright Notice 1449 Copyright (C) The Internet Society (2001). All Rights Reserved. 1451 This document and translations of it may be copied and furnished to 1452 others, and derivative works that comment on or otherwise explain it 1453 or assist in its implementation may be prepared, copied, published 1454 and distributed, in whole or in part, without restriction of any 1455 kind, provided that the above copyright notice and this paragraph are 1456 included on all such copies and derivative works. However, this 1457 document itself may not be modified in any way, such as by removing 1458 the copyright notice or references to the Internet Society or other 1459 Internet organizations, except as needed for the purpose of 1460 developing Internet standards in which case the procedures for 1461 copyrights defined in the Internet Standards process must be 1462 followed, or as required to translate it into languages other than 1463 English. 1465 The limited permissions granted above are perpetual and will not be 1466 revoked by the Internet Society or its successors or assigns.