idnits 2.17.1 draft-ietf-radext-dynauth-client-mib-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1022. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 999. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1006. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1012. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 19, 2005) is 6764 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-server-mib-02 -- Possible downref: Normative reference to a draft: ref. 'DYNSERV' ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-00 -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-00 Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: April 22, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 October 19, 2005 9 Dynamic Authorization Client MIB 10 draft-ietf-radext-dynauth-client-mib-02.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on April 22, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2005). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the RADIUS Dynamic Authorization Client 46 (DAC) functions that support the dynamic authorization extensions as 47 defined in RFC3576. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 53 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. The Internet-Standard Management Framework . . . . . . . . . . 4 55 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 4. RADIUS Dynamic Authorization Client MIB Definitions . . . . . 6 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 58 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 22 59 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23 60 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 61 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 62 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 64 Intellectual Property and Copyright Statements . . . . . . . . . . 27 66 1. Introduction 68 This memo defines a portion of the Management Information Base (MIB) 69 for use with network management protocols in the Internet community. 70 It is becoming increasingly important to support Dynamic 71 Authorization extensions on the network access server (NAS) devices 72 to handle the Disconnect and Change-of-Authorization (CoA) messages 73 as described in [RFC3576] . As a result, the effective management of 74 RADIUS Dynamic Authorization entities is of considerable importance. 75 This RADIUS Dynamic Authorization Client MIB complements the managed 76 objects used for managing RADIUS authentication and accounting 77 servers as described in [RFC2619] and [RFC2621], respectively. The 78 corresponding version neutral IP address MIBs [RFC2619bis] and 79 [RFC2621bis] will obsolete (if approved) [RFC2619] and [RFC2621]. 81 1.1. Requirements notation 83 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 85 document are to be interpreted as described in [RFC2119]. 87 1.2. Terminology 89 Dynamic Authorization Server (DAS) 91 The component that resides on the NAS which processes the Disconnect 92 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 93 the Dynamic Authorization Client. 95 Dynamic Authorization Client (DAC) 97 The component which sends Disconnect and CoA-Request packets to the 98 Dynamic Authorization Server. While often residing on the RADIUS 99 server, it is also possible for this component to be located on a 100 separate host, such as a Rating Engine. 102 Dynamic Authorization Server Port 104 The UDP port on which the Dynamic Authorization Server listens for 105 the Disconnect and CoA requests sent by the Dynamic Authorization 106 Client. 108 2. The Internet-Standard Management Framework 110 For a detailed overview of the documents that describe the current 111 Internet-Standard Management Framework, please refer to section 7 of 112 [RFC3410]. 114 Managed objects are accessed via a virtual information store, termed 115 the Management Information Base or MIB. MIB objects are generally 116 accessed through the Simple Network Management Protocol (SNMP). 117 Objects in the MIB are defined using the mechanisms defined in the 118 Structure of Management Information (SMI). This memo specifies a MIB 119 module that is compliant to the SMIv2, which is described in STD 58, 120 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 121 [RFC2580]. 123 3. Overview 125 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 126 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 127 Request, CoA-ACK and CoA-NAK packets. [DYNSERV] defines the Dynamic 128 Authorization Server MIB and the relationship with other MIB modules. 129 This MIB module for the Dynamic Authorization Client contains the 130 following: This MIB module for the Dynamic Authorization Client 131 contains the following: 133 1. Two scalar objects. 135 2. One Dynamic Authorization Server table. This table contains one 136 row for each DAS that the DAC shares a secret with. 138 4. RADIUS Dynamic Authorization Client MIB Definitions 140 RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 142 IMPORTS 143 MODULE-IDENTITY, OBJECT-TYPE, 144 Counter32, Gauge32, Integer32, 145 mib-2, TimeTicks FROM SNMPv2-SMI -- [RFC2578] 146 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 147 InetAddressType, InetAddress, 148 InetPortNumber FROM INET-ADDRESS-MIB -- [RFC4001] 149 MODULE-COMPLIANCE, 150 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 152 radiusDynAuthClientMIB MODULE-IDENTITY 153 LAST-UPDATED "200510160000Z" -- 16 October 2005 154 ORGANIZATION "IETF RADEXT Working Group" 155 CONTACT-INFO 156 " Stefaan De Cnodder 157 Alcatel 158 Francis Wellesplein 1 159 B-2018 Antwerp 160 Belgium 162 Phone: +32 3 240 85 15 163 EMail: stefaan.de_cnodder@alcatel.be 165 Nagi Reddy Jonnala 166 Cisco Systems, Inc. 167 Divyasree Chambers, B Wing, 168 O'Shaugnessy Road, 169 Bangalore-560027, India. 171 Phone: +91 98456 99445 172 EMail: njonnala@cisco.com 174 Murtaza Chiba 175 Cisco Systems, Inc. 176 170 West Tasman Dr. 177 San Jose CA, 95134 179 Phone: +1 408 525 7198 180 EMail: mchiba@cisco.com " 181 DESCRIPTION 182 "The MIB module for entities implementing the client 183 side of the Dynamic Authorization extensions Remote 184 Authentication Dial In User Service (RADIUS) protocol. 186 Copyright (C) The Internet Society (2005). This initial 187 version of this MIB module was published in RFC yyyy; 188 for full legal notices see the RFC itself. Supplementary 189 information may be available on 190 http://www.ietf.org/copyrights/ianamib.html." 191 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 193 REVISION "200510160000Z" -- 16 October 2005 194 DESCRIPTION "Initial version as published in RFC yyyy" 195 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 196 ::= { mib-2 xxx } 197 -- The value xxx to be assigned by IANA. 199 radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::= 200 { radiusDynAuthClientMIB 1 } 202 radiusDynAuthClient OBJECT IDENTIFIER ::= 203 { radiusDynAuthClientMIBObjects 1 } 205 radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE 206 SYNTAX Counter32 207 MAX-ACCESS read-only 208 STATUS current 209 DESCRIPTION 210 "The number of Disconnect messages received from unknown 211 addresses." 212 ::= { radiusDynAuthClient 1 } 214 radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE 215 SYNTAX Counter32 216 MAX-ACCESS read-only 217 STATUS current 218 DESCRIPTION 219 "The number of CoA messages received from unknown 220 addresses." 221 ::= { radiusDynAuthClient 2 } 223 radiusDynAuthServerTable OBJECT-TYPE 224 SYNTAX SEQUENCE OF RadiusDynAuthServerEntry 225 MAX-ACCESS not-accessible 226 STATUS current 227 DESCRIPTION 228 "The (conceptual) table listing the RADIUS Dynamic 229 Authorization Servers with which the client shares a 230 secret." 231 ::= { radiusDynAuthClient 3 } 233 radiusDynAuthServerEntry OBJECT-TYPE 234 SYNTAX RadiusDynAuthServerEntry 235 MAX-ACCESS not-accessible 236 STATUS current 237 DESCRIPTION 238 "An entry (conceptual row) representing one Dynamic 239 Authorization Server with which the client shares a 240 secret." 241 INDEX { radiusDynAuthServerIndex } 242 ::= { radiusDynAuthServerTable 1 } 244 RadiusDynAuthServerEntry ::= SEQUENCE { 245 radiusDynAuthServerIndex Integer32, 246 radiusDynAuthServerAddressType InetAddressType, 247 radiusDynAuthServerAddress InetAddress, 248 radiusDynAuthServerClientPortNumber InetPortNumber, 249 radiusDynAuthServerID SnmpAdminString, 250 radiusDynAuthClientRoundTripTime TimeTicks, 251 radiusDynAuthClientDisconRequests Counter32, 252 radiusDynAuthClientDisconAuthOnlyRequests Counter32, 253 radiusDynAuthClientDisconRetransmissions Counter32, 254 radiusDynAuthClientDisconAcks Counter32, 255 radiusDynAuthClientDisconNaks Counter32, 256 radiusDynAuthClientDisconNakAuthOnlyRequest Counter32, 257 radiusDynAuthClientDisconNakSessNoContext Counter32, 258 radiusDynAuthClientMalformedDisconResponses Counter32, 259 radiusDynAuthClientDisconBadAuthenticators Counter32, 260 radiusDynAuthClientDisconPendingRequests Gauge32, 261 radiusDynAuthClientDisconTimeouts Counter32, 262 radiusDynAuthClientDisconPacketsDropped Counter32, 263 radiusDynAuthClientCoARequests Counter32, 264 radiusDynAuthClientCoAAuthOnlyRequest Counter32, 265 radiusDynAuthClientCoARetransmissions Counter32, 266 radiusDynAuthClientCoAAcks Counter32, 267 radiusDynAuthClientCoANaks Counter32, 268 radiusDynAuthClientCoANakAuthOnlyRequest Counter32, 269 radiusDynAuthClientCoANakSessNoContext Counter32, 270 radiusDynAuthClientMalformedCoAResponses Counter32, 271 radiusDynAuthClientCoABadAuthenticators Counter32, 272 radiusDynAuthClientCoAPendingRequests Gauge32, 273 radiusDynAuthClientCoATimeouts Counter32, 274 radiusDynAuthClientCoAPacketsDropped Counter32, 275 radiusDynAuthClientUnknownTypes Counter32 276 } 278 radiusDynAuthServerIndex OBJECT-TYPE 279 SYNTAX Integer32 (1..2147483647) 280 MAX-ACCESS not-accessible 281 STATUS current 282 DESCRIPTION 283 "A number uniquely identifying each RADIUS Dynamic 284 Authorization Server with which this Dynamic 285 Authorization Client communicates. This number is 286 allocated by the agent implementing this MIB module, 287 and is unique in this context." 288 ::= { radiusDynAuthServerEntry 1 } 290 radiusDynAuthServerAddressType OBJECT-TYPE 291 SYNTAX InetAddressType 292 MAX-ACCESS read-only 293 STATUS current 294 DESCRIPTION 295 "The type of IP-Address of the RADIUS Dynamic 296 Authorization Server referred to in this table entry." 297 ::= { radiusDynAuthServerEntry 2 } 299 radiusDynAuthServerAddress OBJECT-TYPE 300 SYNTAX InetAddress 301 MAX-ACCESS read-only 302 STATUS current 303 DESCRIPTION 304 "The IP-Address value of the RADIUS Dynamic 305 Authorization Server referred to in this table entry." 306 ::= { radiusDynAuthServerEntry 3 } 308 radiusDynAuthServerClientPortNumber OBJECT-TYPE 309 SYNTAX InetPortNumber 310 MAX-ACCESS read-only 311 STATUS current 312 DESCRIPTION 313 "The UDP destination port that the RADIUS Dynamic 314 Authorization Client is using to send requests to this 315 server." 316 ::= { radiusDynAuthServerEntry 4 } 318 radiusDynAuthServerID OBJECT-TYPE 319 SYNTAX SnmpAdminString 320 MAX-ACCESS read-only 321 STATUS current 322 DESCRIPTION 323 "The NAS-Identifier of the RADIUS Dynamic 324 Authorization Server referred to in this table 325 entry." 326 REFERENCE 327 "RFC 2865, Section 5.32, NAS-Identifier." 329 ::= { radiusDynAuthServerEntry 5 } 331 radiusDynAuthClientRoundTripTime OBJECT-TYPE 332 SYNTAX TimeTicks 333 UNITS "hundredths of a second" 334 MAX-ACCESS read-only 335 STATUS current 336 DESCRIPTION 337 "The time interval (in hundredths of a second) between 338 the most recent Disconnect or CoA request and the 339 reception of the corresponding Disconnect or CoA reply. 340 A value of zero is returned in case no reply has been 341 received yet from this server." 342 ::= { radiusDynAuthServerEntry 6 } 344 radiusDynAuthClientDisconRequests OBJECT-TYPE 345 SYNTAX Counter32 346 UNITS "requests" 347 MAX-ACCESS read-only 348 STATUS current 349 DESCRIPTION 350 "The number of RADIUS Disconnect-Requests sent 351 to this Dynamic Authorization Server. This includes 352 the RADIUS Disconnect-Requests that have a 353 Service-Type attribute with value 'Authorize Only'." 354 REFERENCE 355 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 356 ::= { radiusDynAuthServerEntry 7 } 358 radiusDynAuthClientDisconAuthOnlyRequests OBJECT-TYPE 359 SYNTAX Counter32 360 UNITS "requests" 361 MAX-ACCESS read-only 362 STATUS current 363 DESCRIPTION 364 "The number of RADIUS Disconnect-Requests including a 365 Service-Type attribute with value 'Autorize Only' 366 sent to this Dynamic Authorization Server." 367 REFERENCE 368 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 369 ::= { radiusDynAuthServerEntry 8 } 371 radiusDynAuthClientDisconRetransmissions OBJECT-TYPE 372 SYNTAX Counter32 373 UNITS "retransmissions" 374 MAX-ACCESS read-only 375 STATUS current 376 DESCRIPTION 377 "The number of RADIUS Disconnect-request packets 378 retransmitted to this RADIUS Dynamic Authorization 379 Server." 380 REFERENCE 381 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 382 ::= { radiusDynAuthServerEntry 9 } 384 radiusDynAuthClientDisconAcks OBJECT-TYPE 385 SYNTAX Counter32 386 UNITS "replies" 387 MAX-ACCESS read-only 388 STATUS current 389 DESCRIPTION 390 "The number of RADIUS Disconnect-ACK packets 391 received from this Dynamic Authorization Server" 392 REFERENCE 393 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 394 ::= { radiusDynAuthServerEntry 10 } 396 radiusDynAuthClientDisconNaks OBJECT-TYPE 397 SYNTAX Counter32 398 UNITS "replies" 399 MAX-ACCESS read-only 400 STATUS current 401 DESCRIPTION 402 "The number of RADIUS Disconnect-NAK packets 403 received from this Dynamic Authorization Server. 404 This includes the RADIUS Disconnect-NAK packets 405 received with a Service-Type attribute with value 406 'Authorize Only' and the RADIUS Disconnect-NAK packets 407 received no session context was found." 408 REFERENCE 409 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 410 ::= { radiusDynAuthServerEntry 11 } 412 radiusDynAuthClientDisconNakAuthOnlyRequest OBJECT-TYPE 413 SYNTAX Counter32 414 UNITS "replies" 415 MAX-ACCESS read-only 416 STATUS current 417 DESCRIPTION 418 "The number of RADIUS Disconnect-NAK packets 419 including an Service-Type attribute with value 420 'Autorize Only' received from this Dynamic 421 Authorization Server." 422 REFERENCE 423 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 424 ::= { radiusDynAuthServerEntry 12 } 426 radiusDynAuthClientDisconNakSessNoContext OBJECT-TYPE 427 SYNTAX Counter32 428 UNITS "replies" 429 MAX-ACCESS read-only 430 STATUS current 431 DESCRIPTION 432 "The number of RADIUS Disconnect-NAK packets 433 received from this Dynamic Authorization Server 434 because no session context was found, i.e. it 435 includes an Error-Cause attribute with value 503 436 ('Session Context Not Found')." 437 REFERENCE 438 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 439 ::= { radiusDynAuthServerEntry 13 } 441 radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE 442 SYNTAX Counter32 443 UNITS "replies" 444 MAX-ACCESS read-only 445 STATUS current 446 DESCRIPTION 447 "The number of malformed RADIUS Disconnect-Response 448 packets received from this Dynamic Authorization 449 Server. Bad authenticators and unknown types are not 450 included as malformed Disconnect-Responses." 451 REFERENCE 452 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 453 Section 2.3, Packet Format." 454 ::= { radiusDynAuthServerEntry 14 } 456 radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE 457 SYNTAX Counter32 458 UNITS "replies" 459 MAX-ACCESS read-only 460 STATUS current 461 DESCRIPTION 462 "The number of RADIUS Disconnect-Response packets 463 which contained invalid Authenticator field 464 received from this Dynamic Authorization Server." 465 REFERENCE 466 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 467 Section 2.3, Packet Format." 468 ::= { radiusDynAuthServerEntry 15 } 470 radiusDynAuthClientDisconPendingRequests OBJECT-TYPE 471 SYNTAX Gauge32 472 UNITS "requests" 473 MAX-ACCESS read-only 474 STATUS current 475 DESCRIPTION 476 "The number of RADIUS Disconnect-request packets 477 destined for this server that have not yet timed out 478 or received a response. This variable is incremented 479 when an Disconnect-Request is sent and decremented 480 due to receipt of an Disconnect-Ack, Disconnect-NAK 481 or a timeout or a retransmission." 482 REFERENCE 483 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 484 ::= { radiusDynAuthServerEntry 16 } 486 radiusDynAuthClientDisconTimeouts OBJECT-TYPE 487 SYNTAX Counter32 488 UNITS "timeouts" 489 MAX-ACCESS read-only 490 STATUS current 491 DESCRIPTION 492 "The number of Disconnect request timeouts to this 493 server. After a timeout the client may retry to the 494 same server or give up. A retry to the same server is 495 counted as a retransmit as well as a timeout. A send 496 to a different server is counted as a 497 Disconnect-Request as well as a timeout." 498 REFERENCE 499 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 500 ::= { radiusDynAuthServerEntry 17 } 502 radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE 503 SYNTAX Counter32 504 UNITS "replies" 505 MAX-ACCESS read-only 506 STATUS current 507 DESCRIPTION 508 "The number of incoming Disconnect-Responses 509 from this Dynamic Authorization Server silently 510 discarded by the client application for some reason 511 other than malformed, bad authenticators or unknown 512 types." 513 REFERENCE 514 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 515 Section 2.3, Packet Format." 516 ::= { radiusDynAuthServerEntry 18 } 518 radiusDynAuthClientCoARequests OBJECT-TYPE 519 SYNTAX Counter32 520 UNITS "requests" 521 MAX-ACCESS read-only 522 STATUS current 523 DESCRIPTION 524 "The number of RADIUS CoA-Requests sent to this 525 Dynamic Authorization Server. This includes 526 the CoA requests that have a Service-Type attribute 527 with value 'Authorize Only'." 528 REFERENCE 529 "RFC 3576, Section 2.2, Change-of-Authorization 530 Messages (CoA)." 531 ::= { radiusDynAuthServerEntry 19 } 533 radiusDynAuthClientCoAAuthOnlyRequest OBJECT-TYPE 534 SYNTAX Counter32 535 UNITS "requests" 536 MAX-ACCESS read-only 537 STATUS current 538 DESCRIPTION 539 "The number of RADIUS CoA-requests including a 540 Service-Type attribute with value 'Autorize Only' 541 sent to this Dynamic Authorization Client." 542 REFERENCE 543 "RFC 3576, Section 2.2, Change-of-Authorization 544 Messages (CoA)." 545 ::= { radiusDynAuthServerEntry 20 } 547 radiusDynAuthClientCoARetransmissions OBJECT-TYPE 548 SYNTAX Counter32 549 UNITS "retransmissions" 550 MAX-ACCESS read-only 551 STATUS current 552 DESCRIPTION 553 "The number of RADIUS CoA-request packets 554 retransmitted to this RADIUS Dynamic Authorization 555 Server." 556 REFERENCE 557 "RFC 3576, Section 2.2, Change-of-Authorization 558 Messages (CoA)." 559 ::= { radiusDynAuthServerEntry 21 } 561 radiusDynAuthClientCoAAcks OBJECT-TYPE 562 SYNTAX Counter32 563 UNITS "replies" 564 MAX-ACCESS read-only 565 STATUS current 566 DESCRIPTION 567 "The number of RADIUS CoA-ACK packets 568 received from this Dynamic Authorization Server" 569 REFERENCE 570 "RFC 3576, Section 2.2, Change-of-Authorization 571 Messages (CoA)." 572 ::= { radiusDynAuthServerEntry 22 } 574 radiusDynAuthClientCoANaks OBJECT-TYPE 575 SYNTAX Counter32 576 UNITS "replies" 577 MAX-ACCESS read-only 578 STATUS current 579 DESCRIPTION 580 "The number of RADIUS CoA-NAK packets 581 received from this Dynamic Authorization Server. 582 This includes the RADIUS CoA-NAK packets received 583 with a Service-Type attribute with value 'Authorize 584 Only' and the RADIUS CoA-NAK packets received because 585 no session context was found." 586 REFERENCE 587 "RFC 3576, Section 2.2, Change-of-Authorization 588 Messages (CoA)." 589 ::= { radiusDynAuthServerEntry 23 } 591 radiusDynAuthClientCoANakAuthOnlyRequest OBJECT-TYPE 592 SYNTAX Counter32 593 UNITS "replies" 594 MAX-ACCESS read-only 595 STATUS current 596 DESCRIPTION 597 "The number of RADIUS CoA-NAK packets including a 598 Service-Type attribute with value 'Autorize Only' 599 received from this Dynamic Authorization Server." 600 REFERENCE 601 "RFC 3576, Section 2.2, Change-of-Authorization 602 Messages (CoA)." 603 ::= { radiusDynAuthServerEntry 24 } 605 radiusDynAuthClientCoANakSessNoContext OBJECT-TYPE 606 SYNTAX Counter32 607 UNITS "replies" 608 MAX-ACCESS read-only 609 STATUS current 610 DESCRIPTION 611 "The number of RADIUS CoA-NAK packets 612 received from this Dynamic Authorization Server 613 because no session context was found, i.e. it 614 includes an Error-Cause attribute with value 503 615 ('Session Context Not Found')." 616 REFERENCE 617 "RFC 3576, Section 2.2, Change-of-Authorization 618 Messages (CoA)." 619 ::= { radiusDynAuthServerEntry 25 } 621 radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE 622 SYNTAX Counter32 623 UNITS "replies" 624 MAX-ACCESS read-only 625 STATUS current 626 DESCRIPTION 627 "The number of malformed RADIUS CoA-Response 628 packets received from this Dynamic Authorization 629 Server. Bad authenticators and unknown types are 630 not included as malformed CoA-Responses." 631 REFERENCE 632 "RFC 3576, Section 2.2, Change-of-Authorization 633 Messages (CoA), and Section 2.3, Packet Format." 634 ::= { radiusDynAuthServerEntry 26 } 636 radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE 637 SYNTAX Counter32 638 UNITS "replies" 639 MAX-ACCESS read-only 640 STATUS current 641 DESCRIPTION 642 "The number of RADIUS CoA-Response packets 643 which contained invalid Authenticator field 644 received from this Dynamic Authorization Server." 645 REFERENCE 646 "RFC 3576, Section 2.2, Change-of-Authorization 647 Messages (CoA), and Section 2.3, Packet Format." 648 ::= { radiusDynAuthServerEntry 27 } 650 radiusDynAuthClientCoAPendingRequests OBJECT-TYPE 651 SYNTAX Gauge32 652 UNITS "requests" 653 MAX-ACCESS read-only 654 STATUS current 655 DESCRIPTION 656 "The number of RADIUS CoA-request packets destined for 657 this server that have not yet timed out or received a 658 response. This variable is incremented when an 659 CoA-Request is sent and decremented due to receipt of 660 a CoA-Ack, CoA -NAK or a timeout or a retransmission." 661 REFERENCE 662 "RFC 3576, Section 2.2, Change-of-Authorization 663 Messages (CoA)." 664 ::= { radiusDynAuthServerEntry 28 } 666 radiusDynAuthClientCoATimeouts OBJECT-TYPE 667 SYNTAX Counter32 668 UNITS "timeouts" 669 MAX-ACCESS read-only 670 STATUS current 671 DESCRIPTION 672 "The number of CoA request timeouts to this server. 673 After a timeout the client may retry to the same 674 server or give up. A retry to the same server is 675 counted as a retransmit as well as a timeout. A send to 676 a different server is counted as a CoA-Request as well 677 as a timeout." 678 REFERENCE 679 "RFC 3576, Section 2.2, Change-of-Authorization 680 Messages (CoA)." 681 ::= { radiusDynAuthServerEntry 29 } 683 radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE 684 SYNTAX Counter32 685 UNITS "replies" 686 MAX-ACCESS read-only 687 STATUS current 688 DESCRIPTION 689 "The number of incoming CoA-Responses from this Dynamic 690 Authorization Server silently discarded by the client 691 application for some reason other than malformed, bad 692 authenticators or unknown types." 693 REFERENCE 694 "RFC 3576, Section 2.2, Change-of-Authorization 695 Messages (CoA), and Section 2.3, Packet Format." 696 ::= { radiusDynAuthServerEntry 30 } 698 radiusDynAuthClientUnknownTypes OBJECT-TYPE 699 SYNTAX Counter32 700 UNITS "replies" 701 MAX-ACCESS read-only 702 STATUS current 703 DESCRIPTION 704 "The number of incoming packets of unknown types 705 which were received on the Dynamic Authorization port." 706 REFERENCE 707 "RFC 3576, Section 2.3, Packet Format." 708 ::= { radiusDynAuthServerEntry 31 } 710 -- conformance information 712 radiusDynAuthClientMIBConformance 713 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 } 715 radiusDynAuthClientMIBCompliances 716 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 } 717 radiusDynAuthClientMIBGroups 718 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 } 720 -- compliance statements 722 radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE 723 STATUS current 724 DESCRIPTION 725 "The compliance statement for entities implementing 726 the RADIUS Dynamic Authorization Client." 727 MODULE -- this module 728 MANDATORY-GROUPS { radiusDynAuthClientMIBGroup } 730 GROUP radiusDynAuthClientAuthOnlyGroup 731 DESCRIPTION 732 "Only required for Dynamic Authorization Clients that 733 are supporting Service-Type attributes with value 734 'Authorize-Only'." 736 GROUP radiusDynAuthClientNoSessGroup 737 DESCRIPTION 738 "This group is not required in case the Dynamic 739 Authorization Server can not easily determine whether 740 a session exists or not (e.g., in case of a RADIUS 741 proxy)." 743 ::= { radiusDynAuthClientMIBCompliances 1 } 745 -- units of conformance 747 radiusDynAuthClientMIBGroup OBJECT-GROUP 748 OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses, 749 radiusDynAuthClientCoAInvalidServerAddresses, 750 radiusDynAuthServerAddressType, 751 radiusDynAuthServerAddress, 752 radiusDynAuthServerClientPortNumber, 753 radiusDynAuthServerID, 754 radiusDynAuthClientRoundTripTime, 755 radiusDynAuthClientDisconRequests, 756 radiusDynAuthClientDisconRetransmissions, 757 radiusDynAuthClientDisconAcks, 758 radiusDynAuthClientDisconNaks, 759 radiusDynAuthClientMalformedDisconResponses, 760 radiusDynAuthClientDisconBadAuthenticators, 761 radiusDynAuthClientDisconPendingRequests, 762 radiusDynAuthClientDisconTimeouts, 763 radiusDynAuthClientDisconPacketsDropped, 764 radiusDynAuthClientCoARequests, 765 radiusDynAuthClientCoARetransmissions, 766 radiusDynAuthClientCoAAcks, 767 radiusDynAuthClientCoANaks, 768 radiusDynAuthClientMalformedCoAResponses, 769 radiusDynAuthClientCoABadAuthenticators, 770 radiusDynAuthClientCoAPendingRequests, 771 radiusDynAuthClientCoATimeouts, 772 radiusDynAuthClientCoAPacketsDropped, 773 radiusDynAuthClientUnknownTypes 774 } 775 STATUS current 776 DESCRIPTION 777 "The collection of objects providing management of 778 a RADIUS Dynamic Authorization Client." 779 ::= { radiusDynAuthClientMIBGroups 1 } 781 radiusDynAuthClientAuthOnlyGroup OBJECT-GROUP 782 OBJECTS { radiusDynAuthClientDisconAuthOnlyRequests, 783 radiusDynAuthClientDisconNakAuthOnlyRequest, 784 radiusDynAuthClientCoAAuthOnlyRequest, 785 radiusDynAuthClientCoANakAuthOnlyRequest 786 } 787 STATUS current 788 DESCRIPTION 789 "The collection of objects supporting the RADIUS 790 messages including Service-Type attribute with 791 value 'Autorize Only'." 792 ::= { radiusDynAuthClientMIBGroups 2 } 794 radiusDynAuthClientNoSessGroup OBJECT-GROUP 795 OBJECTS { radiusDynAuthClientDisconNakSessNoContext, 796 radiusDynAuthClientCoANakSessNoContext 797 } 798 STATUS current 799 DESCRIPTION 800 "The collection of objects supporting the RADIUS 801 messages that are referring to non existing sessions." 802 ::= { radiusDynAuthClientMIBGroups 3 } 804 END 806 5. Security Considerations 808 There are no management objects defined in this MIB module that have 809 a MAX-ACCESS clause of read-write and/or read-create. So, if this 810 MIB module is implemented correctly, then there is no risk that an 811 intruder can alter or create any management objects of this MIB 812 module via direct SNMP SET operations 814 Some of the readable objects in this MIB module (i.e., objects with a 815 MAX-ACCESS other than not-accessible) may be considered sensitive or 816 vulnerable in some network environments. It is thus important to 817 control even GET and/or NOTIFY access to these objects and possibly 818 to even encrypt the values of these objects when sending them over 819 the network via SNMP. These are the tables and objects and their 820 sensitivity/vulnerability: 822 radiusDynAuthServerAddress and radiusDynAuthServerAddressType 824 These can be used to determine the address of the DAS with which the 825 DAC is communicating. This information could be useful in mounting 826 an attack on the DAS. 828 radiusDynAuthServerID 830 This can be used to determine the Identifier of the DAS. This 831 information could be useful in impersonating the DAS. 833 radiusDynAuthServerClientPortNumber 835 This can be used to determine the destination port number to which 836 the DAC is sending. This information could be useful in mounting an 837 attack on the DAS. 839 The other readable objects are not really considered as being 840 sensitive or vulnerable. These objects are: 842 radiusDynAuthClientDisconInvalidServerAddresses, 843 radiusDynAuthClientCoAInvalidServerAddresses, 844 radiusDynAuthClientRoundTripTime, 845 radiusDynAuthClientDisconRequests, 846 radiusDynAuthClientDisconAuthOnlyRequests, 847 radiusDynAuthClientDisconRetransmissions, 848 radiusDynAuthClientDisconAcks, 849 radiusDynAuthClientDisconNaks, 850 radiusDynAuthClientDisconNakAuthOnlyRequest, 851 radiusDynAuthClientDisconNakSessNoContext, 852 radiusDynAuthClientMalformedDisconResponses, 853 radiusDynAuthClientDisconBadAuthenticators, 854 radiusDynAuthClientDisconPendingRequests, 855 radiusDynAuthClientDisconTimeouts, 856 radiusDynAuthClientDisconPacketsDropped, 857 radiusDynAuthClientCoARequests, 858 radiusDynAuthClientCoAAuthOnlyRequest, 859 radiusDynAuthClientCoARetransmissions, 860 radiusDynAuthClientCoAAcks, 861 radiusDynAuthClientCoANaks, 862 radiusDynAuthClientCoANakAuthOnlyRequest, 863 radiusDynAuthClientCoANakSessNoContext, 864 radiusDynAuthClientMalformedCoAResponses, 865 radiusDynAuthClientCoABadAuthenticators, 866 radiusDynAuthClientCoAPendingRequests, 867 radiusDynAuthClientCoATimeouts, 868 radiusDynAuthClientCoAPacketsDropped, and 869 radiusDynAuthClientUnknownTypes. 871 SNMP versions prior to SNMPv3 did not include adequate security. 872 Even if the network itself is secure (for example by using IPSec), 873 even then, there is no control as to who on the secure network is 874 allowed to access and GET/SET (read/change/create/delete) the objects 875 in this MIB module. 877 It is RECOMMENDED that implementers consider the security features as 878 provided by the SNMPv3 framework (see [RFC3410], section 8), 879 including full support for the SNMPv3 cryptographic mechanisms (for 880 authentication and privacy). 882 Further, deployment of SNMP versions prior to SNMPv3 is NOT 883 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 884 enable cryptographic security. It is then a customer/operator 885 responsibility to ensure that the SNMP entity giving access to an 886 instance of this MIB module is properly configured to give access to 887 the objects only to those principals (users) that have legitimate 888 rights to indeed GET or SET (change/create/delete) them. 890 6. IANA considerations 892 IANA is requested to assign an OID under mib-2. 894 7. Acknowledgements 896 This document reuses some of the work done in earlier RADIUS MIB 897 specifications [RFC2619] and [RFC2621]. 899 The authors would also like to acknowledge the following people for 900 their comments to this document: Anjaneyulu Pata, Dan Romascanu, Bert 901 Wijnen, Bernard Aboba, David Nelson, Greg Weber and Glen Zorn. 903 8. References 905 8.1. Normative References 907 [DYNSERV] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 908 Authorization Server MIB", 909 draft-decnodder-radext-dynauth-server-mib-02.txt, work in 910 progress, September 2005. 912 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 913 Requirement Levels", RFC 2119, March 1997. 915 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 916 Rose, M., and S. Waldbusser, "Structure of Management 917 Information Version 2 (SMIv2)", STD 58, RFC 2578, 918 April 1999. 920 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 921 Rose, M., and S. Waldbusser, "Textual Conventions for 922 SMIv2", STD 58, RFC 2579, April 1999. 924 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 925 Rose, M., and S. Waldbusser, "Conformance Statements for 926 SMIv2", STD 58, RFC 2580, April 1999. 928 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 929 Architecture for Describing Simple Network Management 930 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 931 December 2002. 933 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 934 Aboba, "Dynamic Authorization Extensions to Remote 935 Authentication Dial In User Service (RADIUS)", RFC 3576, 936 July 2003. 938 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 939 Network Addresses", RFC 4001, February 2005. 941 8.2. Informative References 943 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 944 RFC 2619, June 1999. 946 [RFC2619bis] 947 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 948 draft-ietf-radext-rfc2619bis-00.txt work in progress, 949 August 2005. 951 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 952 RFC 2621, June 1999. 954 [RFC2621bis] 955 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 956 draft-ietf-radext-rfc2621bis-00.txt work in progress, 957 August 2005. 959 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 960 "Introduction and Applicability Statements for Internet 961 Standard Management Framework", RFC 3410, December 2002. 963 Authors' Addresses 965 Stefaan De Cnodder 966 Alcatel 967 Francis Wellesplein 1 968 B-2018 Antwerp 969 Belgium 971 Phone: +32 3 240 85 15 972 Email: stefaan.de_cnodder@alcatel.be 974 Nagi Reddy Jonnala 975 Cisco Systems, Inc. 976 Divyasree Chambers, B Wing, O'Shaugnessy Road 977 Bangalore-560027, India 979 Phone: +91 98456 99445 980 Email: njonnala@cisco.com 982 Murtaza Chiba 983 Cisco Systems, Inc. 984 170 West Tasman Dr. 985 San Jose CA, 95134 987 Phone: +1 408 525 7198 988 Email: mchiba@cisco.com 990 Intellectual Property Statement 992 The IETF takes no position regarding the validity or scope of any 993 Intellectual Property Rights or other rights that might be claimed to 994 pertain to the implementation or use of the technology described in 995 this document or the extent to which any license under such rights 996 might or might not be available; nor does it represent that it has 997 made any independent effort to identify any such rights. Information 998 on the procedures with respect to rights in RFC documents can be 999 found in BCP 78 and BCP 79. 1001 Copies of IPR disclosures made to the IETF Secretariat and any 1002 assurances of licenses to be made available, or the result of an 1003 attempt made to obtain a general license or permission for the use of 1004 such proprietary rights by implementers or users of this 1005 specification can be obtained from the IETF on-line IPR repository at 1006 http://www.ietf.org/ipr. 1008 The IETF invites any interested party to bring to its attention any 1009 copyrights, patents or patent applications, or other proprietary 1010 rights that may cover technology that may be required to implement 1011 this standard. Please address the information to the IETF at 1012 ietf-ipr@ietf.org. 1014 Disclaimer of Validity 1016 This document and the information contained herein are provided on an 1017 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1018 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1019 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1020 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1021 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1022 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1024 Copyright Statement 1026 Copyright (C) The Internet Society (2005). This document is subject 1027 to the rights, licenses and restrictions contained in BCP 78, and 1028 except as set forth therein, the authors retain all their rights. 1030 Acknowledgment 1032 Funding for the RFC Editor function is currently provided by the 1033 Internet Society.