idnits 2.17.1 draft-ietf-isms-radius-vacm-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 2, 2009) is 5256 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group K. Narayan 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track D. Nelson 5 Expires: June 5, 2010 Elbrys Networks, Inc. 6 R. Presuhn, Ed. 7 None 8 December 2, 2009 10 Extensions to View-based Access Control Model for use with RADIUS 11 draft-ietf-isms-radius-vacm-00.txt 13 Abstract 15 This memo describes a backward-compatible extension to the View-based 16 Access Control Model for SNMPv3 for use with RADIUS and other AAA 17 services to provide authorization of MIB database access. This 18 extension is intended to be used in conjunction with secure SNMP 19 Transport Models that facilitate RADIUS authentication, such as the 20 Secure Shell Transport Model. 22 Requirements Language 24 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 25 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 26 document are to be interpreted as described in [RFC2119]. 28 Status of this Memo 30 This Internet-Draft is submitted to IETF in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF), its areas, and its working groups. Note that 35 other groups may also distribute working documents as Internet- 36 Drafts. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 The list of current Internet-Drafts can be accessed at 44 http://www.ietf.org/ietf/1id-abstracts.txt. 46 The list of Internet-Draft Shadow Directories can be accessed at 47 http://www.ietf.org/shadow.html. 49 This Internet-Draft will expire on June 5, 2010. 51 Copyright Notice 53 Copyright (c) 2009 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (http://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the BSD License. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 70 1.2. System Block Diagram . . . . . . . . . . . . . . . . . . . 3 71 1.3. Using RADIUS with SNMP . . . . . . . . . . . . . . . . . . 4 72 2. Extended VACM for RADIUS Authorization . . . . . . . . . . . . 5 73 3. VACM Extension for RAIDUS Authorization . . . . . . . . . . . 6 74 3.1. Dynamic Update of VACM and Extended VACM MIB Module 75 Objects . . . . . . . . . . . . . . . . . . . . . . . . . 6 76 3.2. Purging Volatile Entries in the Extended VACM MIB 77 Module . . . . . . . . . . . . . . . . . . . . . . . . . . 7 78 4. Elements of Procedure for Extended VACM . . . . . . . . . . . 7 79 5. MIB Module Definition . . . . . . . . . . . . . . . . . . . . 9 80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 81 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 82 8. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 14 83 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 84 9.1. Normative References . . . . . . . . . . . . . . . . . . . 15 85 9.2. Informative References . . . . . . . . . . . . . . . . . . 16 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 88 1. Introduction 90 1.1. General 92 The Simple Network Management Protocol version 3 (SNMPv3) provides 93 message security services through the Security Subsystem. Transport 94 Subsystem for the Simple Network Management Protocol [RFC5590] 95 defines a Transport Subsystem, Transport Security Model for SNMP 96 [RFC5591] a new Transport Security Model, Secure Shell Transport 97 Model for SNMP [RFC5592] a Secure Shell Transport Model and Remote 98 Authentication Dial-In User Service (RADIUS) Usage for Simple Network 99 Management Protocol (SNMP) Transport Models [RFC5608] a method for 100 authenticating SNMPv3 users via the Remote Authentication Dial-In 101 User Service (RADIUS). 103 It is now possible to authenticate SNMPv3 messages via a RADIUS when 104 those messages are sent over the SSH transport. This document builds 105 on that work and describes a means to centrally authorize a given 106 SNMP transaction using on-device, pre-existing authorization 107 configuration. In order to leverage a centralized RADIUS service to 108 its full extent, the access control decision in the Access Control 109 Subsystem needs to be based on authorization information received 110 from RADIUS as well. This document defines an extension to the View- 111 based Access Control Model to obtain authorization information for an 112 authenticated principal, from RADIUS. 114 Additional introductory material on the RADIUS operational model and 115 RADIUS usage with SNMP may be found in Sections 1.3 and 1.5 of 116 [RFC5608]. 118 It is important to understand the SNMP architecture and the 119 terminology of the architecture to understand where the Extended 120 View-based Access Control Model described in this memo fits into the 121 architecture and interacts with other subsystems and models within 122 the architecture. It is expected that reader will have also read and 123 understood RFC3411 [RFC3411], RFC3412 [RFC3412], RFC3413 [RFC3413], 124 RFC3415 [RFC3415]and RFC3418 [RFC3418]. As this document describes 125 an extension to VACM, it relies on much of the material in RFC3415 126 [RFC3415]. 128 1.2. System Block Diagram 130 A block diagram of the major system components referenced in this 131 document may be useful to understanding the text that follows. 133 +--------+ 134 +......................... |RADIUS |....+ 135 . |Server | . 136 Shared +--------+ . 137 User | . 138 Credentials RADIUS | Shared 139 . | RADIUS 140 . | Secret 141 . | . 142 +-------------+ +-----------------+ 143 | Network | | RADIUS Client / | 144 | Management | SNMP | SNMP Engine / | 145 | Application |------------------| Network Device | 146 +-------------+ SSH +-----------------+ 148 Block Diagram 150 This diagram illustrates that a network management application 151 communicates with a network device, the managed entity, using SNMP 152 over SSH. The network devices uses RADIUS to communicate with a 153 RADIUS Server to authenticate the network management application (or 154 the user whose credentials that application provides) and to obtain 155 authorization information related to access via SNMP for purpose of 156 device management. Other secure transport protocols might be used 157 instead of SSH. 159 1.3. Using RADIUS with SNMP 161 There are two use cases for RADIUS support of management access via 162 SNMP. These are (a) service authorization and (b) access control 163 authorization. RADIUS almost always involves user authentication as 164 prerequisite to authorization, and there is a user authentication 165 phase for each of these two use cases. The first use case is 166 discussed in detail in [RFC5608]. The second use case is the subject 167 of this document. This document describes how RADIUS attributes and 168 messages are applied to the specific application area of SNMP Access 169 Control Models, and VACM in particular. 171 This document assumes that Extended VACM will be used in conjunction 172 with an SNMP secure Transport Model and the SNMP Transport Security 173 Model. The rationale for this assumption is as follows. The RFC 174 3411 SNMP architecture maintains strong modularity and separation of 175 concerns, extending to separating user identity (authentication) from 176 user database access rights (authorization). The former is the 177 business of the Security Subsystem and the latter is the business of 178 the Access Control Subsystem. RADIUS, on the other hand, allows for 179 no such separation of authorization from authentication. In order to 180 use RADIUS with SNMP, binding of user authentication to user 181 authorization must be achieved, without violating the modularity of 182 the RFC 3411 SNMP architecture. 184 RADIUS does support a limited form of Authorize-Only operations. The 185 RADIUS "Authorize Only" Service-Type Attribute can be specified in an 186 Access-Request message, but only when accompanied by a RADIUS State 187 Attribute, which contains an implementation specific "cookie" 188 representing the successful outcome of a previous authentication 189 transaction. For that reason, it is not possible to completely 190 separate the use of RADIUS by the Access Control Subsystem from the 191 use of RADIUS by other subsystems. This suggests that the most 192 straightforward approach is to leverage the existing RADIUS usage, as 193 documented in [RFC5608], and the tmStateReference cache, as 194 documented in Section 5.2 of [RFC5590]. 196 This document also assumes that the detailed access control rules are 197 pre-configued in the NAS. Dynamic user authorization for MIB 198 database access control, as defined herein, is limited to mapping the 199 authenticated user to a pre-existing group, which in turn is mapped 200 to the pre-existing rules. The operative use case assumption is that 201 roles within an organization (i.e. groups and rules) change 202 infrequently while the users assigned to those roles change much more 203 frequently. It is the user to role mapping that is outsourced to the 204 RADIUS server. 206 2. Extended VACM for RADIUS Authorization 208 This document will rely on implementation specific integration of the 209 RADIUS client for user authentication and authorization. Further, it 210 will rely on implementation specific caching of MIB database access 211 policy information, in the form of the RADIUS Management-Policy-Id 212 Attribute, such that it will be available to Extended VACM. 214 A NAS that is compliant to this specification, MUST treat any RADIUS 215 Access-Accept message that provisions a specific policy for MIB 216 database access control that cannot be provided as if an Access- 217 Reject message had been received instead. 219 The RADIUS Management-Policy-Id Attribute MUST be used in an Access- 220 Accept message to provision a user-specific access control policy for 221 use in conjunction with Extended VACM. The syntax and semantics of 222 the Management-Policy-Id attribute are described in Section 6.3 of 223 [RFC5607]. 225 The intended use of the content of the Management-Policy-Id attribute 226 is to provision a mapping between the authenticated user, associated 227 with the secure transport session, and an access control group pre- 228 provisioned in the VACM MIB module. Details of this mapping are 229 described in following sections. 231 3. VACM Extension for RAIDUS Authorization 233 The extension to VACM [RFC3415] described in this document is a 234 method for one or more of its MIB module objects to be dynamically 235 provisioned based on information received from RADIUS, or some 236 similar AAA service. This extension requires no changes to the 237 Abstract Service Interface (ASI) for the Access Control Subsystem, 238 nor any changes in the Elements of Procedure (EOP) for VACM. A new 239 MIB module that augments the vacmSecurityToGroupTable is defined in 240 this document, as well as supplemental EOP for Extended VACM to 241 follow. It does require that a module of code somewhere in the NAS 242 be able to write to the VACM MIB module and Extended VACM MIB Module, 243 and that it reliably and consistently do so in immediate response to 244 access control policy information received from RADIUS. 246 3.1. Dynamic Update of VACM and Extended VACM MIB Module Objects 248 The imlementation dependent interface between the RADIUS Client 249 function in the NAS and the SNMP Engine in the NAS is responsible for 250 updating the vacmSecurityToGroupTable table within the VACM MIB 251 Module [RFC3415] and the corresponding rows of the 252 extendedVacmSecurityToGroupTable. These row objects are dynamically 253 updated from RADIUS authorization data. Specifically, the RADIUS 254 User-Name Attribute is used as the vacmSecurityName and the RADIUS 255 Management-Policy-Id Attribute is used as the vacmGroupName. The 256 vacmSecurityModel is the encoding for the Transport Security Model. 257 The vacmSecurityToGroupStorageType should be (2) volatile. 259 In creating a row entry in the vacmSecurityToGroupTable, there are 260 three cases to consider: 262 o No existing row has a matching vacmSecurityName. 264 o An existing row has a matching vacmSecurityName. 266 o No additional rows can be created, e.g. because of resource 267 constraints, etc. 269 The second and third cases require special consideration. The second 270 case may represent a conflict between dynamic access control 271 authorization from RADIUS and local access control configuration by a 272 security administrator, e.g. via remote or local SNMP MIB module 273 updates. If one assumes that the security administrator 274 intentionally configured a table entry for the "conflicting" 275 vacmSecurityName, with full knowledge that it might over-ride dynamic 276 authorization information from RADIUS, the right thing to do would be 277 nothing. That is to say, do not update the table based on RADIUS 278 authorization information. On the other hand, it is possible that 279 the "name collision" is the result of a mistake, or the result of 280 stale configuration information. 282 The behavior specified for Extended VACM is to make not update to the 283 vacmSecurityToGroupTable, and to increment the 284 extVacmSecurityNameConflict counter. 286 The third case is likely to be rare, and SHOULD result in a 287 notification of some sort being logged for action by the system 288 administrator. 290 It is expected that the value of the RADIUS Management-Policy-Id 291 Attribute match an existing vacmGroupName that cab be sucessfully 292 used as an index to the vacmAccessTable. If no matching 293 vacmGroupName exists, then the access control defaults to this will 294 result in the default access rights of "no access", which is the 295 desired result. The NAS should increment the extVacmMissingGroupName 296 counter, for troubleshooting purposes, as this most likely indicates 297 an administrative misconfiguration. 299 In addition to creating a new row in the vacmSecurityToGroupTable, 300 the NAS creates a corresponding new row in the 301 extVacmSecurityToGroupTable, using the same values for index as were 302 used to create the row in the vacmSecurityToGroupTable. The value of 303 the rowCreatedBy object is set to RADIUS (1), and the value of 304 rowLifetime is set to the value of the RADIUS Session-Timeout 305 Attribute, if one was received by the RADIUS Client for this session, 306 or to zero (0) otherwise. 308 3.2. Purging Volatile Entries in the Extended VACM MIB Module 310 When the secture transport session is torn down, disconnected or 311 times out, any volatile table rows created in the vacmSecurityToGroup 312 table by the Extended VACM function MUST be removed. The mechanism 313 to accomplish this task is implementation specific. 315 4. Elements of Procedure for Extended VACM 317 This section describes the Elements of Procedure for Extended VACM. 318 The function of the VACM extension is to manage the creation and 319 deletion of rows in the vacmSecurityToGroupTable, basedon the outcome 320 of RADIUS authorization. All access control decision functions are 321 taken by VACM, as defined in [RFC3415]. The EOP for VACM remains as 322 listed in Section 3 of that document. 324 When a RADIUS (or other AAA service) authorizes SNMP data access 325 control for a user-authenticaed secure transport session, the NAS 326 causes the RADIUS provisioning information to be made available to 327 the Extended VACM facility, which populates the 328 vacmSecurityToGroupTable, as follows: 330 1. If the the RADIUS Management-Policy-Id Attribute is not 331 available, increment the extVacmNoPolicy counter. Do not create 332 a table row. 334 2. If the the RADIUS Management-Policy-Id Attribute is available, 335 and if no existing row has a vacmSecurityName matching the RADIUS 336 User-Name Attribute, create a new row with the columns populated 337 as follows: 339 A. vacmSecurityModel = (x) secureTransportSecurityModel 341 B. vacmSecurityName = RADIUS User-Name Attribute 343 C. vacmGroupName = RADIUS Management-Policy-Id Attribute 345 D. vacmSecurityToGroupStorageType = (2) 347 E. volatilevacmSecurityToGroupStatus = createAndGo ??? 349 F. extVacmRowCreatedBy = (1) 351 G. radiusextVacmRowLifetime = RADIUS Session-Timeout Attribute | 352 zero (0) 354 H. extVacmTransportSessionID = ID provided by the Secure 355 Transport Model 357 3. If an existing table row has a matching vacmSecurityName, 358 increment the extVacmSecurityNameConflict counter. Do not create 359 a table row.If no additional table rows can be created, e.g. 360 because of resource constraints, incerment the 361 extVacmResourceError counter. 363 When a RADIUS-authenticated secure transport session is disconnected 364 by the remote peer, the NAS casues the Extended VACM to remove the 365 corresponding table row from the vacmSecurityToGroupTable. The NAS 366 provides an implementation dependent identifier of the session in 367 question to Extended VACM. 369 1. Search for a rwo with a matching extVacmTransportSessionID. 371 2. If found, check to see that the extVacmRowCreateby value is (1) 372 radius. If not, ignore the request. 374 3. If a table row exists with a matching value of 375 extVACMTransportSessionID, that row is deleted. 377 5. MIB Module Definition 379 This MIB module employs the notation of [RFC2578], [RFC2579] and 380 [RFC2580]. It uses textual conventions from [RFC2579] and [RFC3411]. 382 SNMP-EXT-VIEW-BASED-ACM-MIB DEFINITIONS ::= BEGIN 384 IMPORTS 385 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF 386 MODULE-IDENTITY, OBJECT-TYPE, 387 snmpModules, 388 Unsigned32, 389 Counter32 FROM SNMPv2-SMI 390 RowStatus, StorageType FROM SNMPv2-TC 391 SnmpAdminString, 392 SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB; 394 snmpExtVacmMIB MODULE-IDENTITY 395 LAST-UPDATED "200912010000Z" -- 1 Dec. 2009, midnight 396 ORGANIZATION "ISMS Working Group" 397 CONTACT-INFO "WG-email: isms@ietf.org" 399 DESCRIPTION "The management and local datstore information 400 definitions for the Extended View-based Access 401 Control Model for SNMP. 403 Copyright (C) The Internet Society (2009)." 405 REVISION "200912010000Z" 406 DESCRIPTION "Initial version,published as RFCXXXX." 407 ::= { snmpModules XXXX } 409 extVacmMIBObjects OBJECT IDENTIFIER ::= { snmpExtVacmMIB 1 } 410 extVacmMIBConformance OBJECT IDENTIFIER ::= {snmpExtVacmMIB 2 } 412 extVacmCounters OBJECT IDENTIFIER ::= { extVacmMIBObjects 1 } 414 extVacmResourceError OBJECT-TYPE 415 SYNTAX Counter32 416 UNITS "lost rows" 417 MAX-ACCESS read-only 418 STATUS current 419 DESCRIPTION 420 "The number of VACM Security Name to Security 421 Group table rows that could not be created by 422 Extended VACM because of insufficient resources." 423 ::= { extVacmCounters 1 } 425 extVacmNoPolicy OBJECT-TYPE 426 SYNTAX Counter32 427 UNITS "lost rows" 428 MAX-ACCESS read-only 429 STATUS current 430 DESCRIPTION 431 "The number of VACM Security Name to Security 432 Group table rows that could not be created by 433 Extended VACM because the AAA-provisioned 434 group policy did not match an existing row in 435 the VACM access table." 436 ::= { extVacmCounters 2 } 438 extVacmSecurityNameConflict OBJECT-TYPE 439 SYNTAX Counter32 440 UNITS "lost rows" 441 MAX-ACCESS read-only 442 STATUS current 443 DESCRIPTION 444 "The number of VACM Security Name to Security 445 Group table rows that could not be created by 446 Extended VACM because the AAA-provisioned 447 security name (user name) conflicted with an 448 existing row in the table." 449 ::= { extVacmCounters 3 } 451 extVacmSecurityToGroupTable OBJECT-TYPE 452 SYNTAX SEQUENCE OF ExtVacmSecurityToGroupEntry 453 MAX-ACCESS not-accessible 454 STATUS current 455 DESCRIPTION "This table maps a combination of securityModel and 456 securityName into a groupName which is used to define 457 an access control policy for a group of principals." 459 ::= { extVacmMIBObjects 2 } 461 extVacmSecurityToGroupEntry OBJECT-TYPE 462 SYNTAX ExtVacmSecurityToGroupEntry 463 MAX-ACCESS not-accessible 464 STATUS current 465 DESCRIPTION "An entry in this table maps the combination of a 466 securityModel and securityName into a groupName." 467 INDEX { 468 extVacmSecurityModel, 469 extVacmSecurityName 470 } 471 ::= { extVacmSecurityToGroupTable 1 } 473 ExtVacmSecurityToGroupEntry ::= SEQUENCE 474 { 475 extVacmSecurityModel SnmpSecurityModel, 476 extVacmSecurityName SnmpAdminString, 477 extVacmGroupName SnmpAdminString, 478 extVacmSecurityToGroupStorageType StorageType, 479 extVacmSecurityToGroupStatus RowStatus, 480 extVacmRowCreatedBy INTEGER, 481 extVacmRowLifetime Unsigned32, 482 extVacmTransportSessionID Unsigned32 483 } 485 extVacmSecurityModel OBJECT-TYPE 486 SYNTAX SnmpSecurityModel(1..2147483647) 487 MAX-ACCESS not-accessible 488 STATUS current 489 DESCRIPTION "The Security Model, by which the vacmSecurityName 490 referenced by this entry is provided. 491 Note, this object may not take the 'any' (0) value." 492 ::= { extVacmSecurityToGroupEntry 1 } 494 extVacmSecurityName OBJECT-TYPE 495 SYNTAX SnmpAdminString (SIZE(1..32)) 496 MAX-ACCESS not-accessible 497 STATUS current 498 DESCRIPTION "The securityName for the principal, represented in a 499 Security Model independent format, which is mapped by 500 this entry to a groupName." 501 ::= { extVacmSecurityToGroupEntry 2 } 503 extVacmGroupName OBJECT-TYPE 504 SYNTAX SnmpAdminString (SIZE(1..32)) 505 MAX-ACCESS read-create 506 STATUS current 507 DESCRIPTION "The name of the group to which this entry (e.g., the 508 combination of securityModel and securityName) 509 belongs. 511 This groupName is used as index into the 512 vacmAccessTable to select an access control policy. 513 A value in this table does not imply that an instance 514 with the value exists in table vacmAccesTable." 515 ::= { extVacmSecurityToGroupEntry 3 } 517 extVacmSecurityToGroupStorageType OBJECT-TYPE 518 SYNTAX StorageType 519 MAX-ACCESS read-create 520 STATUS current 521 DESCRIPTION "The storage type for this conceptual row. 522 Conceptual rows having the value 'permanent' need not 523 allow write-access to any columnar objects in the row." 524 DEFVAL { nonVolatile } 525 ::= { extVacmSecurityToGroupEntry 4 } 527 extVacmSecurityToGroupStatus OBJECT-TYPE 528 SYNTAX RowStatus 529 MAX-ACCESS read-create 530 STATUS current 531 DESCRIPTION "The status of this conceptual row. 533 Until instances of all corresponding columns are 534 appropriately configured, the value of the 535 corresponding instance of the vacmSecurityToGroupStatus 536 column is 'notReady'. 538 In particular, a newly created row cannot be made 539 active until a value has been set for vacmGroupName. 541 The RowStatus TC [RFC2579] requires that this 542 DESCRIPTION clause states under which circumstances 543 other objects in this row can be modified: 545 The value of this object has no effect on whether 546 other objects in this conceptual row can be modified." 547 ::= { extVacmSecurityToGroupEntry 5 } 549 extVacmRowCreatedBy OBJECT-TYPE 550 SYNTAX INTEGER 551 { radius (1), -- Row created by Extended VACM 552 other (2) -- ??? 553 } 554 MAX-ACCESS read-create 555 STATUS current 556 DESCRIPTION "The source of the infromation in this row 557 is indicated by the value of this object. 558 In the case of VACM this column probably won't 559 exist." 560 ::= { extVacmSecurityToGroupEntry 6 } 562 extVacmRowLifetime OBJECT-TYPE 563 SYNTAX Unsigned32 564 MAX-ACCESS read-create 565 STATUS current 566 DESCRIPTION "The number of seconds for which this row 567 is valid. Extended VACM SHOULD delete the 568 row after this lifetime exprires." 569 ::= { extVacmSecurityToGroupEntry 7 } 571 extVacmTransportSessionID OBJECT-TYPE 572 SYNTAX Unsigned32 573 MAX-ACCESS read-create 574 STATUS current 575 DESCRIPTION "An identifier of the secure transport 576 model's session associated with this 577 authenticated user. The identifier 578 MUST be unique within the scope of the NAS. 579 It's content is implementation dependant 580 and it SHOULD be used merely as an index." 581 ::= { extVacmSecurityToGroupEntry 8 } 583 -- Conformance information ****************************************** 585 extVacmMIBCompliances 586 OBJECT IDENTIFIER ::= {extVacmMIBConformance 1} 587 extVacmMIBGroups 588 OBJECT IDENTIFIER ::= {extVacmMIBConformance 2} 590 -- compliance statements 592 extVacmMIBBasicCompliance MODULE-COMPLIANCE 593 STATUS current 594 DESCRIPTION "The compliance statement for SNMP engines which 595 implement the Extensions to the View-based Access 596 Control Model for use with RADIUS. 597 " 598 MODULE -- this module 599 MANDATORY-GROUPS { extVacmGroup } 601 ::= { extVacmMIBCompliances 1 } 603 -- units of conformance 605 extVacmGroup OBJECT-GROUP 606 OBJECTS { 607 extVacmResourceError, 608 extVacmNoPolicy, 609 extVacmSecurityNameConflict, 610 extVacmGroupName, 611 extVacmSecurityToGroupStorageType, 612 extVacmSecurityToGroupStatus, 613 extVacmRowCreatedBy, 614 extVacmRowLifetime, 615 extVacmTransportSessionID 616 } 617 STATUS current 618 DESCRIPTION "A collection of objects for supporting the use 619 of RADIUS to provide user / group mappings for VACM. 620 " 621 ::= { extVacmMIBGroups 1 } 623 END 625 6. IANA Considerations 627 TO DO. 629 7. Security Considerations 631 TO DO. 633 8. Open Issues 635 This section identifies questions and issues that have not been 636 addressed in this version of this document. This section will 637 probably be removed prior to publication, since there will be no 638 questions left to address. 640 1. Is this document an amendment or update to RFC 3514? Or is it 641 simply a standalone document that describes how to provision 642 certain MIB Objects defined in RFC 3514, along with an extended 643 set of augmenting table columns? 645 2. Does this document need to make any reference to the Elements of 646 Procedure in RFC 3514, or does is simply need its own Elements of 647 Procedure for updating the group mapping table? 649 3. Where should the MIB Module defined in this document be rooted? 650 (under snmpModules or mib-2?) 652 4. Dave Harrington had issued a summary email after IETF75 653 containing apparently contradictory statements about whether the 654 additional columns should be in the *same* table that VACM uses 655 or in another, separate table that augments the VACM table. 656 Basically, we need some help in actually structuring the new MIB 657 Module. 659 5. The Groups and Conformance sections of the MIB Module need to be 660 checked and kept in alignment with the definitions. 662 6. Make sure that the new Elements of Procedure make sense and cover 663 all the corner cases correctly. 665 7. Generally make the document look like an "SNMP document". :-) 667 9. References 669 9.1. Normative References 671 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 672 Requirement Levels", BCP 14, RFC 2119, March 1997. 674 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 675 Schoenwaelder, Ed., "Structure of Management Information 676 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 678 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 679 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 680 STD 58, RFC 2579, April 1999. 682 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 683 "Conformance Statements for SMIv2", STD 58, RFC 2580, 684 April 1999. 686 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 687 Architecture for Describing Simple Network Management 688 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 689 December 2002. 691 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 692 Access Control Model (VACM) for the Simple Network 693 Management Protocol (SNMP)", STD 62, RFC 3415, 694 December 2002. 696 [RFC5590] Harrington, D. and J. Schoenwaelder, "Transport Subsystem 697 for the Simple Network Management Protocol (SNMP)", 698 RFC 5590, June 2009. 700 [RFC5591] Harrington, D. and W. Hardaker, "Transport Security Model 701 for the Simple Network Management Protocol (SNMP)", 702 RFC 5591, June 2009. 704 [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In 705 User Service (RADIUS) Authorization for Network Access 706 Server (NAS) Management", RFC 5607, July 2009. 708 [RFC5608] Narayan, K. and D. Nelson, "Remote Authentication Dial-In 709 User Service (RADIUS) Usage for Simple Network Management 710 Protocol (SNMP) Transport Models", RFC 5608, August 2009. 712 9.2. Informative References 714 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 715 "Message Processing and Dispatching for the Simple Network 716 Management Protocol (SNMP)", STD 62, RFC 3412, 717 December 2002. 719 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 720 Management Protocol (SNMP) Applications", STD 62, 721 RFC 3413, December 2002. 723 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 724 Simple Network Management Protocol (SNMP)", STD 62, 725 RFC 3418, December 2002. 727 [RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure 728 Shell Transport Model for the Simple Network Management 729 Protocol (SNMP)", RFC 5592, June 2009. 731 Authors' Addresses 733 Kaushik Narayan 734 Cisco Systems, Inc. 735 10 West Tasman Drive 736 San Jose, CA 95134 737 USA 739 Phone: +1.408.526.8168 740 Email: kaushik_narayan@yahoo.com 742 David Nelson 743 Elbrys Networks, Inc. 744 282 Corporate Drive, Unit #1, 745 Portsmouth, NH 03801 746 USA 748 Phone: +1.603.570.2636 749 Email: d.b.nelson@comcast.net 751 Randy Presuhn (editor) 752 None 754 Email: randy_presuhn@mindspring.com