idnits 2.17.1 draft-ietf-radext-dynauth-client-mib-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1088. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1065. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1072. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1078. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC2865]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 29, 2006) is 6601 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) == Outdated reference: A later version (-06) exists of draft-ietf-radext-dynauth-server-mib-05 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-01 Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: September 30, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 March 29, 2006 9 Dynamic Authorization Client MIB 10 draft-ietf-radext-dynauth-client-mib-05.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on September 30, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2006). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the Remote Authentication Dial In User 46 Service (RADIUS) [RFC2865] Dynamic Authorization Client (DAC) 47 functions that support the dynamic authorization extensions as 48 defined in RFC 3576. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. The Internet-Standard Management Framework . . . . . . . . . . 4 56 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4. RADIUS Dynamic Authorization Client MIB Definitions . . . . . 6 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 23 59 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 25 60 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 26 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 27 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 27 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 65 Intellectual Property and Copyright Statements . . . . . . . . . . 30 67 1. Introduction 69 This memo defines a portion of the Management Information Base (MIB) 70 for use with network management protocols in the Internet community. 71 It is becoming increasingly important to support Dynamic 72 Authorization extensions on the network access server (NAS) devices 73 to handle the Disconnect and Change-of-Authorization (CoA) messages 74 as described in [RFC3576]. As a result, the effective management of 75 RADIUS Dynamic Authorization entities is of considerable importance. 76 This RADIUS Dynamic Authorization Client MIB complements the managed 77 objects used for managing RADIUS authentication and accounting 78 servers as described in [RFC2619bis] and [RFC2621bis], respectively. 80 -- RFC Ed.: references [DYNSERV], [RFC2619bis], [RFC2621bis] should 81 -- be replaced by references to the corresponding RFC. 83 1.1. Requirements notation 85 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 86 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 87 document are to be interpreted as described in [RFC2119]. 89 1.2. Terminology 91 Dynamic Authorization Server (DAS) 93 The component that resides on the NAS which processes the Disconnect 94 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 95 the Dynamic Authorization Client. 97 Dynamic Authorization Client (DAC) 99 The component which sends Disconnect and CoA-Request packets to the 100 Dynamic Authorization Server. While often residing on the RADIUS 101 server, it is also possible for this component to be located on a 102 separate host, such as a Rating Engine. 104 Dynamic Authorization Server Port 106 The UDP port on which the Dynamic Authorization Server listens for 107 the Disconnect and CoA requests sent by the Dynamic Authorization 108 Client. 110 2. The Internet-Standard Management Framework 112 For a detailed overview of the documents that describe the current 113 Internet-Standard Management Framework, please refer to section 7 of 114 [RFC3410]. 116 Managed objects are accessed via a virtual information store, termed 117 the Management Information Base or MIB. MIB objects are generally 118 accessed through the Simple Network Management Protocol (SNMP). 119 Objects in the MIB are defined using the mechanisms defined in the 120 Structure of Management Information (SMI). This memo specifies a MIB 121 module that is compliant to the SMIv2, which is described in STD 58, 122 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 123 [RFC2580]. 125 3. Overview 127 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 128 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 129 Request, CoA-ACK and CoA-NAK packets. [DYNSERV] defines the Dynamic 130 Authorization Server MIB and the relationship with other MIB modules. 131 This MIB module for the Dynamic Authorization Client contains the 132 following: 134 1. Three scalar objects, and 136 2. One Dynamic Authorization Server table. This table contains one 137 row for each DAS that the DAC shares a secret with. 139 4. RADIUS Dynamic Authorization Client MIB Definitions 141 RADIUS-DYNAUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 143 IMPORTS 144 MODULE-IDENTITY, OBJECT-TYPE, 145 Counter32, Gauge32, Integer32, 146 mib-2, TimeTicks FROM SNMPv2-SMI -- [RFC2578] 147 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 148 InetAddressType, InetAddress, 149 InetPortNumber FROM INET-ADDRESS-MIB -- [RFC4001] 150 MODULE-COMPLIANCE, 151 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 153 radiusDynAuthClientMIB MODULE-IDENTITY 154 LAST-UPDATED "200603220000Z" -- 22 March 2006 155 ORGANIZATION "IETF RADEXT Working Group" 156 CONTACT-INFO 157 " Stefaan De Cnodder 158 Alcatel 159 Francis Wellesplein 1 160 B-2018 Antwerp 161 Belgium 163 Phone: +32 3 240 85 15 164 EMail: stefaan.de_cnodder@alcatel.be 166 Nagi Reddy Jonnala 167 Cisco Systems, Inc. 168 Divyasree Chambers, B Wing, 169 O'Shaugnessy Road, 170 Bangalore-560027, India. 172 Phone: +91 94487 60828 173 EMail: njonnala@cisco.com 175 Murtaza Chiba 176 Cisco Systems, Inc. 177 170 West Tasman Dr. 178 San Jose CA, 95134 180 Phone: +1 408 525 7198 181 EMail: mchiba@cisco.com " 182 DESCRIPTION 183 "The MIB module for entities implementing the client 184 side of the Dynamic Authorization Extensions to Remote 185 Authentication Dial In User Service (RADIUS) protocol. 187 Copyright (C) The Internet Society (2006). Initial 188 version as published in RFC yyyy; 189 for full legal notices see the RFC itself." 190 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 192 REVISION "200603220000Z" -- 22 March 2006 193 DESCRIPTION "Initial version as published in RFC yyyy" 194 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 195 ::= { mib-2 xxx } 196 -- The value xxx to be assigned by IANA. 198 radiusDynAuthClientMIBObjects OBJECT IDENTIFIER ::= 199 { radiusDynAuthClientMIB 1 } 201 radiusDynAuthClientScalars OBJECT IDENTIFIER ::= 202 { radiusDynAuthClientMIBObjects 1 } 204 radiusDynAuthClientDisconInvalidServerAddresses OBJECT-TYPE 205 SYNTAX Counter32 206 MAX-ACCESS read-only 207 STATUS current 208 DESCRIPTION 209 "The number of Disconnect-Ack and Disconnect-NAK packets 210 received from unknown addresses. This counter may 211 experience a discontinuity when the DAC module 212 (re)starts as indicated by the value of 213 radiusDynAuthClientCounterDiscontinuity." 214 ::= { radiusDynAuthClientScalars 1 } 216 radiusDynAuthClientCoAInvalidServerAddresses OBJECT-TYPE 217 SYNTAX Counter32 218 MAX-ACCESS read-only 219 STATUS current 220 DESCRIPTION 221 "The number of CoA-Ack and CoA-NAK packets received from 222 unknown addresses. Disconnect-NAK packets received from 223 unknown addresses. This counter may experience a 224 discontinuity when the DAC module (re)starts as 225 indicated by the value of 226 radiusDynAuthClientCounterDiscontinuity." 227 ::= { radiusDynAuthClientScalars 2 } 229 radiusDynAuthClientCounterDiscontinuity OBJECT-TYPE 230 SYNTAX TimeTicks 231 UNITS "hundredths of a second" 232 MAX-ACCESS read-only 233 STATUS current 234 DESCRIPTION 235 "The time (in hundredths of a second) since the 236 DAC module was last re-initialized." 237 ::= { radiusDynAuthClientScalars 3 } 239 radiusDynAuthServerTable OBJECT-TYPE 240 SYNTAX SEQUENCE OF RadiusDynAuthServerEntry 241 MAX-ACCESS not-accessible 242 STATUS current 243 DESCRIPTION 244 "The (conceptual) table listing the RADIUS Dynamic 245 Authorization Servers with which the client shares a 246 secret." 247 ::= { radiusDynAuthClientMIBObjects 2 } 249 radiusDynAuthServerEntry OBJECT-TYPE 250 SYNTAX RadiusDynAuthServerEntry 251 MAX-ACCESS not-accessible 252 STATUS current 253 DESCRIPTION 254 "An entry (conceptual row) representing one Dynamic 255 Authorization Server with which the client shares a 256 secret." 257 INDEX { radiusDynAuthServerIndex } 258 ::= { radiusDynAuthServerTable 1 } 260 RadiusDynAuthServerEntry ::= SEQUENCE { 261 radiusDynAuthServerIndex Integer32, 262 radiusDynAuthServerAddressType InetAddressType, 263 radiusDynAuthServerAddress InetAddress, 264 radiusDynAuthServerClientPortNumber InetPortNumber, 265 radiusDynAuthServerID SnmpAdminString, 266 radiusDynAuthClientRoundTripTime TimeTicks, 267 radiusDynAuthClientDisconRequests Counter32, 268 radiusDynAuthClientDisconAuthOnlyRequests Counter32, 269 radiusDynAuthClientDisconRetransmissions Counter32, 270 radiusDynAuthClientDisconAcks Counter32, 271 radiusDynAuthClientDisconNaks Counter32, 272 radiusDynAuthClientDisconNakAuthOnlyRequest Counter32, 273 radiusDynAuthClientDisconNakSessNoContext Counter32, 274 radiusDynAuthClientMalformedDisconResponses Counter32, 275 radiusDynAuthClientDisconBadAuthenticators Counter32, 276 radiusDynAuthClientDisconPendingRequests Gauge32, 277 radiusDynAuthClientDisconTimeouts Counter32, 278 radiusDynAuthClientDisconPacketsDropped Counter32, 279 radiusDynAuthClientCoARequests Counter32, 280 radiusDynAuthClientCoAAuthOnlyRequest Counter32, 281 radiusDynAuthClientCoARetransmissions Counter32, 282 radiusDynAuthClientCoAAcks Counter32, 283 radiusDynAuthClientCoANaks Counter32, 284 radiusDynAuthClientCoANakAuthOnlyRequest Counter32, 285 radiusDynAuthClientCoANakSessNoContext Counter32, 286 radiusDynAuthClientMalformedCoAResponses Counter32, 287 radiusDynAuthClientCoABadAuthenticators Counter32, 288 radiusDynAuthClientCoAPendingRequests Gauge32, 289 radiusDynAuthClientCoATimeouts Counter32, 290 radiusDynAuthClientCoAPacketsDropped Counter32, 291 radiusDynAuthClientUnknownTypes Counter32 292 } 294 radiusDynAuthServerIndex OBJECT-TYPE 295 SYNTAX Integer32 (1..2147483647) 296 MAX-ACCESS not-accessible 297 STATUS current 298 DESCRIPTION 299 "A number uniquely identifying each RADIUS Dynamic 300 Authorization Server with which this Dynamic 301 Authorization Client communicates. This number is 302 allocated by the agent implementing this MIB module, 303 and is unique in this context." 304 ::= { radiusDynAuthServerEntry 1 } 306 radiusDynAuthServerAddressType OBJECT-TYPE 307 SYNTAX InetAddressType 308 MAX-ACCESS read-only 309 STATUS current 310 DESCRIPTION 311 "The type of IP address of the RADIUS Dynamic 312 Authorization Server referred to in this table entry." 313 ::= { radiusDynAuthServerEntry 2 } 315 radiusDynAuthServerAddress OBJECT-TYPE 316 SYNTAX InetAddress 317 MAX-ACCESS read-only 318 STATUS current 319 DESCRIPTION 320 "The IP address value of the RADIUS Dynamic 321 Authorization Server referred to in this table entry 322 using the version neutral IP address format. The type 323 of this address is determined by the value of the 324 radiusDynAuthServerAddressType object." 325 ::= { radiusDynAuthServerEntry 3 } 327 radiusDynAuthServerClientPortNumber OBJECT-TYPE 328 SYNTAX InetPortNumber 329 MAX-ACCESS read-only 330 STATUS current 331 DESCRIPTION 332 "The UDP destination port that the RADIUS Dynamic 333 Authorization Client is using to send requests to this 334 server. The value zero is invalid." 335 ::= { radiusDynAuthServerEntry 4 } 337 radiusDynAuthServerID OBJECT-TYPE 338 SYNTAX SnmpAdminString 339 MAX-ACCESS read-only 340 STATUS current 341 DESCRIPTION 342 "The NAS-Identifier of the RADIUS Dynamic Authorization 343 Server referred to in this table entry. This is not 344 necessarily the same as sysName in MIB II." 345 REFERENCE 346 "RFC 2865, Section 5.32, NAS-Identifier." 347 ::= { radiusDynAuthServerEntry 5 } 349 radiusDynAuthClientRoundTripTime OBJECT-TYPE 350 SYNTAX TimeTicks 351 UNITS "hundredths of a second" 352 MAX-ACCESS read-only 353 STATUS current 354 DESCRIPTION 355 "The time interval (in hundredths of a second) between 356 the most recent Disconnect or CoA request and the 357 reception of the corresponding Disconnect or CoA reply. 358 A value of zero is returned in case no reply has been 359 received yet from this server." 360 ::= { radiusDynAuthServerEntry 6 } 362 radiusDynAuthClientDisconRequests OBJECT-TYPE 363 SYNTAX Counter32 364 UNITS "requests" 365 MAX-ACCESS read-only 366 STATUS current 367 DESCRIPTION 368 "The number of RADIUS Disconnect-Requests sent 369 to this Dynamic Authorization Server. This also 370 includes the RADIUS Disconnect-Requests that have a 371 Service-Type attribute with value 'Authorize Only'. 372 Disconnect-NAK packets received from unknown addresses. 373 This counter may experience a discontinuity when the 374 DAC module (re)starts as indicated by the value of 375 radiusDynAuthClientCounterDiscontinuity." 376 REFERENCE 377 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 378 ::= { radiusDynAuthServerEntry 7 } 380 radiusDynAuthClientDisconAuthOnlyRequests OBJECT-TYPE 381 SYNTAX Counter32 382 UNITS "requests" 383 MAX-ACCESS read-only 384 STATUS current 385 DESCRIPTION 386 "The number of RADIUS Disconnect-Requests that include a 387 Service-Type attribute with value 'Authorize Only' 388 sent to this Dynamic Authorization Server. 389 Disconnect-NAK packets received from unknown addresses. 390 This counter may experience a discontinuity when the 391 DAC module (re)starts as indicated by the value of 392 radiusDynAuthClientCounterDiscontinuity." 393 REFERENCE 394 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 395 ::= { radiusDynAuthServerEntry 8 } 397 radiusDynAuthClientDisconRetransmissions OBJECT-TYPE 398 SYNTAX Counter32 399 UNITS "retransmissions" 400 MAX-ACCESS read-only 401 STATUS current 402 DESCRIPTION 403 "The number of RADIUS Disconnect-request packets 404 retransmitted to this RADIUS Dynamic Authorization 405 Server. Disconnect-NAK packets received from unknown 406 addresses. This counter may experience a discontinuity 407 when the DAC module (re)starts as indicated by the 408 value of radiusDynAuthClientCounterDiscontinuity." 409 REFERENCE 410 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 411 ::= { radiusDynAuthServerEntry 9 } 413 radiusDynAuthClientDisconAcks OBJECT-TYPE 414 SYNTAX Counter32 415 UNITS "replies" 416 MAX-ACCESS read-only 417 STATUS current 418 DESCRIPTION 419 "The number of RADIUS Disconnect-ACK packets 420 received from this Dynamic Authorization Server. This 421 counter may experience a discontinuity when the DAC 422 module (re)starts as indicated by the value of 423 radiusDynAuthClientCounterDiscontinuity." 424 REFERENCE 425 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 426 ::= { radiusDynAuthServerEntry 10 } 428 radiusDynAuthClientDisconNaks OBJECT-TYPE 429 SYNTAX Counter32 430 UNITS "replies" 431 MAX-ACCESS read-only 432 STATUS current 433 DESCRIPTION 434 "The number of RADIUS Disconnect-NAK packets 435 received from this Dynamic Authorization Server. 436 This includes the RADIUS Disconnect-NAK packets 437 received with a Service-Type attribute with value 438 'Authorize Only' and the RADIUS Disconnect-NAK 439 packets received no session context was found. This 440 counter may experience a discontinuity when the DAC 441 module (re)starts as indicated by the value of 442 radiusDynAuthClientCounterDiscontinuity." 443 REFERENCE 444 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 445 ::= { radiusDynAuthServerEntry 11 } 447 radiusDynAuthClientDisconNakAuthOnlyRequest OBJECT-TYPE 448 SYNTAX Counter32 449 UNITS "replies" 450 MAX-ACCESS read-only 451 STATUS current 452 DESCRIPTION 453 "The number of RADIUS Disconnect-NAK packets 454 that include a Service-Type attribute with value 455 'Authorize Only' received from this Dynamic 456 Authorization Server. This counter may experience a 457 discontinuity when the DAC module (re)starts as 458 indicated by the value of 459 radiusDynAuthClientCounterDiscontinuity." 460 REFERENCE 461 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 462 ::= { radiusDynAuthServerEntry 12 } 464 radiusDynAuthClientDisconNakSessNoContext OBJECT-TYPE 465 SYNTAX Counter32 466 UNITS "replies" 467 MAX-ACCESS read-only 468 STATUS current 469 DESCRIPTION 470 "The number of RADIUS Disconnect-NAK packets 471 received from this Dynamic Authorization Server 472 because no session context was found, i.e. it 473 includes an Error-Cause attribute with value 503 474 ('Session Context Not Found'). This counter may 475 experience a discontinuity when the DAC module 476 (re)starts as indicated by the value of 477 radiusDynAuthClientCounterDiscontinuity." 478 REFERENCE 479 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 480 ::= { radiusDynAuthServerEntry 13 } 482 radiusDynAuthClientMalformedDisconResponses OBJECT-TYPE 483 SYNTAX Counter32 484 UNITS "replies" 485 MAX-ACCESS read-only 486 STATUS current 487 DESCRIPTION 488 "The number of malformed RADIUS Disconnect-Ack and 489 Disconnect-NAK packets received from this Dynamic 490 Authorization Server. Bad authenticators and unknown 491 types are not included as malformed Disconnect-Ack and 492 Disconnect-NAK packets. This counter may experience a 493 discontinuity when the DAC module (re)starts as 494 indicated by the value of 495 radiusDynAuthClientCounterDiscontinuity." 496 REFERENCE 497 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 498 Section 2.3, Packet Format." 499 ::= { radiusDynAuthServerEntry 14 } 501 radiusDynAuthClientDisconBadAuthenticators OBJECT-TYPE 502 SYNTAX Counter32 503 UNITS "replies" 504 MAX-ACCESS read-only 505 STATUS current 506 DESCRIPTION 507 "The number of RADIUS Disconnect-Ack and Disconnect-NAK 508 packets which contained invalid Authenticator field 509 received from this Dynamic Authorization Server. This 510 counter may experience a discontinuity when the DAC 511 module (re)starts as indicated by the value of 512 radiusDynAuthClientCounterDiscontinuity." 513 REFERENCE 514 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 515 Section 2.3, Packet Format." 516 ::= { radiusDynAuthServerEntry 15 } 518 radiusDynAuthClientDisconPendingRequests OBJECT-TYPE 519 SYNTAX Gauge32 520 UNITS "requests" 521 MAX-ACCESS read-only 522 STATUS current 523 DESCRIPTION 524 "The number of RADIUS Disconnect-request packets 525 destined for this server that have not yet timed out 526 or received a response. This variable is incremented 527 when an Disconnect-Request is sent and decremented 528 due to receipt of an Disconnect-Ack, Disconnect-NAK 529 or a timeout or a retransmission." 530 REFERENCE 531 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 532 ::= { radiusDynAuthServerEntry 16 } 534 radiusDynAuthClientDisconTimeouts OBJECT-TYPE 535 SYNTAX Counter32 536 UNITS "timeouts" 537 MAX-ACCESS read-only 538 STATUS current 539 DESCRIPTION 540 "The number of Disconnect request timeouts to this 541 server. After a timeout the client may retry to the 542 same server or give up. A retry to the same server is 543 counted as a retransmit as well as a timeout. A send 544 to a different server is counted as a 545 Disconnect-Request as well as a timeout. This counter 546 may experience a discontinuity when the DAC module 547 (re)starts as indicated by the value of 548 radiusDynAuthClientCounterDiscontinuity." 549 REFERENCE 550 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 551 ::= { radiusDynAuthServerEntry 17 } 553 radiusDynAuthClientDisconPacketsDropped OBJECT-TYPE 554 SYNTAX Counter32 555 UNITS "replies" 556 MAX-ACCESS read-only 557 STATUS current 558 DESCRIPTION 559 "The number of incoming Disconnect-Ack and 560 Disconnect-NAK packets from this Dynamic Authorization 561 Server silently discarded by the client application for 562 some reason other than malformed, bad authenticators or 563 unknown types. This counter may experience a 564 discontinuity when the DAC module (re)starts as 565 indicated by the value of 566 radiusDynAuthClientCounterDiscontinuity." 567 REFERENCE 568 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 569 Section 2.3, Packet Format." 570 ::= { radiusDynAuthServerEntry 18 } 572 radiusDynAuthClientCoARequests OBJECT-TYPE 573 SYNTAX Counter32 574 UNITS "requests" 575 MAX-ACCESS read-only 576 STATUS current 577 DESCRIPTION 578 "The number of RADIUS CoA-Requests sent to this 579 Dynamic Authorization Server. This also includes 580 the CoA requests that have a Service-Type attribute 581 with value 'Authorize Only'. This counter may 582 experience a discontinuity when the DAC module 583 (re)starts as indicated by the value of 584 radiusDynAuthClientCounterDiscontinuity." 585 REFERENCE 586 "RFC 3576, Section 2.2, Change-of-Authorization 587 Messages (CoA)." 588 ::= { radiusDynAuthServerEntry 19 } 590 radiusDynAuthClientCoAAuthOnlyRequest OBJECT-TYPE 591 SYNTAX Counter32 592 UNITS "requests" 593 MAX-ACCESS read-only 594 STATUS current 595 DESCRIPTION 596 "The number of RADIUS CoA-requests that include a 597 Service-Type attribute with value 'Authorize Only' 598 sent to this Dynamic Authorization Client. This counter 599 may experience a discontinuity when the DAC module 600 (re)starts as indicated by the value of 601 radiusDynAuthClientCounterDiscontinuity." 602 REFERENCE 603 "RFC 3576, Section 2.2, Change-of-Authorization 604 Messages (CoA)." 605 ::= { radiusDynAuthServerEntry 20 } 607 radiusDynAuthClientCoARetransmissions OBJECT-TYPE 608 SYNTAX Counter32 609 UNITS "retransmissions" 610 MAX-ACCESS read-only 611 STATUS current 612 DESCRIPTION 613 "The number of RADIUS CoA-request packets 614 retransmitted to this RADIUS Dynamic Authorization 615 Server. This counter may experience a discontinuity 616 when the DAC module (re)starts as indicated by the 617 value of radiusDynAuthClientCounterDiscontinuity." 618 REFERENCE 619 "RFC 3576, Section 2.2, Change-of-Authorization 620 Messages (CoA)." 621 ::= { radiusDynAuthServerEntry 21 } 623 radiusDynAuthClientCoAAcks OBJECT-TYPE 624 SYNTAX Counter32 625 UNITS "replies" 626 MAX-ACCESS read-only 627 STATUS current 628 DESCRIPTION 629 "The number of RADIUS CoA-ACK packets received from 630 this Dynamic Authorization Server. This counter may 631 experience a discontinuity when the DAC module 632 (re)starts as indicated by the value of 633 radiusDynAuthClientCounterDiscontinuity." 634 REFERENCE 635 "RFC 3576, Section 2.2, Change-of-Authorization 636 Messages (CoA)." 637 ::= { radiusDynAuthServerEntry 22 } 639 radiusDynAuthClientCoANaks OBJECT-TYPE 640 SYNTAX Counter32 641 UNITS "replies" 642 MAX-ACCESS read-only 643 STATUS current 644 DESCRIPTION 645 "The number of RADIUS CoA-NAK packets received from 646 this Dynamic Authorization Server. This includes the 647 RADIUS CoA-NAK packets received with a Service-Type 648 attribute with value 'Authorize Only' and the RADIUS 649 CoA-NAK packets received because no session context 650 was found. This counter may experience a discontinuity 651 when the DAC module (re)starts as indicated by the 652 value of radiusDynAuthClientCounterDiscontinuity." 653 REFERENCE 654 "RFC 3576, Section 2.2, Change-of-Authorization 655 Messages (CoA)." 656 ::= { radiusDynAuthServerEntry 23 } 658 radiusDynAuthClientCoANakAuthOnlyRequest OBJECT-TYPE 659 SYNTAX Counter32 660 UNITS "replies" 661 MAX-ACCESS read-only 662 STATUS current 663 DESCRIPTION 664 "The number of RADIUS CoA-NAK packets that include a 665 Service-Type attribute with value 'Authorize Only' 666 received from this Dynamic Authorization Server. This 667 counter may experience a discontinuity when the DAC 668 module (re)starts as indicated by the value of 669 radiusDynAuthClientCounterDiscontinuity." 670 REFERENCE 671 "RFC 3576, Section 2.2, Change-of-Authorization 672 Messages (CoA)." 673 ::= { radiusDynAuthServerEntry 24 } 675 radiusDynAuthClientCoANakSessNoContext OBJECT-TYPE 676 SYNTAX Counter32 677 UNITS "replies" 678 MAX-ACCESS read-only 679 STATUS current 680 DESCRIPTION 681 "The number of RADIUS CoA-NAK packets received from 682 this Dynamic Authorization Server because no session 683 context was found, i.e. it includes an Error-Cause 684 attribute with value 503 ('Session Context Not Found'). 685 This counter may experience a discontinuity when the 686 DAC module (re)starts as indicated by the value of 687 radiusDynAuthClientCounterDiscontinuity." 688 REFERENCE 689 "RFC 3576, Section 2.2, Change-of-Authorization 690 Messages (CoA)." 691 ::= { radiusDynAuthServerEntry 25 } 693 radiusDynAuthClientMalformedCoAResponses OBJECT-TYPE 694 SYNTAX Counter32 695 UNITS "replies" 696 MAX-ACCESS read-only 697 STATUS current 698 DESCRIPTION 699 "The number of malformed RADIUS CoA-Ack and CoA-NAK 700 packets received from this Dynamic Authorization 701 Server. Bad authenticators and unknown types are 702 not included as malformed CoA-Ack and CoA-NAK packets. 703 This counter may experience a discontinuity when the 704 DAC module (re)starts as indicated by the value of 705 radiusDynAuthClientCounterDiscontinuity." 706 REFERENCE 707 "RFC 3576, Section 2.2, Change-of-Authorization 708 Messages (CoA), and Section 2.3, Packet Format." 709 ::= { radiusDynAuthServerEntry 26 } 711 radiusDynAuthClientCoABadAuthenticators OBJECT-TYPE 712 SYNTAX Counter32 713 UNITS "replies" 714 MAX-ACCESS read-only 715 STATUS current 716 DESCRIPTION 717 "The number of RADIUS CoA-Ack and CoA-NAK packets 718 which contained invalid Authenticator field 719 received from this Dynamic Authorization Server. 720 This counter may experience a discontinuity when the 721 DAC module (re)starts as indicated by the value of 722 radiusDynAuthClientCounterDiscontinuity." 723 REFERENCE 724 "RFC 3576, Section 2.2, Change-of-Authorization 725 Messages (CoA), and Section 2.3, Packet Format." 726 ::= { radiusDynAuthServerEntry 27 } 728 radiusDynAuthClientCoAPendingRequests OBJECT-TYPE 729 SYNTAX Gauge32 730 UNITS "requests" 731 MAX-ACCESS read-only 732 STATUS current 733 DESCRIPTION 734 "The number of RADIUS CoA-request packets destined for 735 this server that have not yet timed out or received a 736 response. This variable is incremented when an 737 CoA-Request is sent and decremented due to receipt of 738 a CoA-Ack, CoA-NAK or a timeout or a retransmission." 739 REFERENCE 740 "RFC 3576, Section 2.2, Change-of-Authorization 741 Messages (CoA)." 742 ::= { radiusDynAuthServerEntry 28 } 744 radiusDynAuthClientCoATimeouts OBJECT-TYPE 745 SYNTAX Counter32 746 UNITS "timeouts" 747 MAX-ACCESS read-only 748 STATUS current 749 DESCRIPTION 750 "The number of CoA request timeouts to this server. 751 After a timeout the client may retry to the same 752 server or give up. A retry to the same server is 753 counted as a retransmit as well as a timeout. A send to 754 a different server is counted as a CoA-Request as well 755 as a timeout. This counter may experience a 756 discontinuity when the DAC module (re)starts as 757 indicated by the value of 758 radiusDynAuthClientCounterDiscontinuity." 759 REFERENCE 760 "RFC 3576, Section 2.2, Change-of-Authorization 761 Messages (CoA)." 762 ::= { radiusDynAuthServerEntry 29 } 764 radiusDynAuthClientCoAPacketsDropped OBJECT-TYPE 765 SYNTAX Counter32 766 UNITS "replies" 767 MAX-ACCESS read-only 768 STATUS current 769 DESCRIPTION 770 "The number of incoming CoA-Ack and CoA-NAK from this 771 Dynamic Authorization Server silently discarded by the 772 client application for some reason other than 773 malformed, bad authenticators or unknown types. This 774 counter may experience a discontinuity when the DAC 775 module (re)starts as indicated by the value of 776 radiusDynAuthClientCounterDiscontinuity." 777 REFERENCE 778 "RFC 3576, Section 2.2, Change-of-Authorization 779 Messages (CoA), and Section 2.3, Packet Format." 780 ::= { radiusDynAuthServerEntry 30 } 782 radiusDynAuthClientUnknownTypes OBJECT-TYPE 783 SYNTAX Counter32 784 UNITS "replies" 785 MAX-ACCESS read-only 786 STATUS current 787 DESCRIPTION 788 "The number of incoming packets of unknown types 789 which were received on the Dynamic Authorization port. 790 This counter may experience a discontinuity when the 791 DAC module (re)starts as indicated by the value of 792 radiusDynAuthClientCounterDiscontinuity." 793 REFERENCE 794 "RFC 3576, Section 2.3, Packet Format." 795 ::= { radiusDynAuthServerEntry 31 } 797 -- conformance information 799 radiusDynAuthClientMIBConformance 800 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIB 2 } 801 radiusDynAuthClientMIBCompliances 802 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 1 } 803 radiusDynAuthClientMIBGroups 804 OBJECT IDENTIFIER ::= { radiusDynAuthClientMIBConformance 2 } 806 -- compliance statements 808 radiusDynAuthClientMIBCompliance MODULE-COMPLIANCE 809 STATUS current 810 DESCRIPTION 811 "The compliance statement for entities implementing 812 the RADIUS Dynamic Authorization Client. Implementation 813 of this module is for entities that support IPv4 and/or 814 IPv6." 815 MODULE -- this module 816 MANDATORY-GROUPS { radiusDynAuthClientMIBGroup } 818 OBJECT radiusDynAuthServerAddressType 819 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 820 DESCRIPTION 821 "An implementation is only required to support IPv4 and 822 globally unique IPv6 addresses." 824 OBJECT radiusDynAuthServerAddress 825 SYNTAX InetAddress (SIZE(4|16)) 826 DESCRIPTION 827 "An implementation is only required to support IPv4 and 828 globally unique IPv6 addresses." 830 GROUP radiusDynAuthClientAuthOnlyGroup 831 DESCRIPTION 832 "Only required for Dynamic Authorization Clients that 833 are supporting Service-Type attributes with value 834 'Authorize-Only'." 836 GROUP radiusDynAuthClientNoSessGroup 837 DESCRIPTION 838 "This group is not required in case the Dynamic 839 Authorization Server can not easily determine whether 840 a session exists or not (e.g., in case of a RADIUS 841 proxy)." 843 ::= { radiusDynAuthClientMIBCompliances 1 } 845 -- units of conformance 847 radiusDynAuthClientMIBGroup OBJECT-GROUP 848 OBJECTS { radiusDynAuthClientDisconInvalidServerAddresses, 849 radiusDynAuthClientCoAInvalidServerAddresses, 850 radiusDynAuthClientCounterDiscontinuity, 851 radiusDynAuthServerAddressType, 852 radiusDynAuthServerAddress, 853 radiusDynAuthServerClientPortNumber, 854 radiusDynAuthServerID, 855 radiusDynAuthClientRoundTripTime, 856 radiusDynAuthClientDisconRequests, 857 radiusDynAuthClientDisconRetransmissions, 858 radiusDynAuthClientDisconAcks, 859 radiusDynAuthClientDisconNaks, 860 radiusDynAuthClientMalformedDisconResponses, 861 radiusDynAuthClientDisconBadAuthenticators, 862 radiusDynAuthClientDisconPendingRequests, 863 radiusDynAuthClientDisconTimeouts, 864 radiusDynAuthClientDisconPacketsDropped, 865 radiusDynAuthClientCoARequests, 866 radiusDynAuthClientCoARetransmissions, 867 radiusDynAuthClientCoAAcks, 868 radiusDynAuthClientCoANaks, 869 radiusDynAuthClientMalformedCoAResponses, 870 radiusDynAuthClientCoABadAuthenticators, 871 radiusDynAuthClientCoAPendingRequests, 872 radiusDynAuthClientCoATimeouts, 873 radiusDynAuthClientCoAPacketsDropped, 874 radiusDynAuthClientUnknownTypes 875 } 876 STATUS current 877 DESCRIPTION 878 "The collection of objects providing management of 879 a RADIUS Dynamic Authorization Client." 880 ::= { radiusDynAuthClientMIBGroups 1 } 882 radiusDynAuthClientAuthOnlyGroup OBJECT-GROUP 883 OBJECTS { radiusDynAuthClientDisconAuthOnlyRequests, 884 radiusDynAuthClientDisconNakAuthOnlyRequest, 885 radiusDynAuthClientCoAAuthOnlyRequest, 886 radiusDynAuthClientCoANakAuthOnlyRequest 887 } 888 STATUS current 889 DESCRIPTION 890 "The collection of objects supporting the RADIUS 891 messages including Service-Type attribute with 892 value 'Authorize Only'." 893 ::= { radiusDynAuthClientMIBGroups 2 } 895 radiusDynAuthClientNoSessGroup OBJECT-GROUP 896 OBJECTS { radiusDynAuthClientDisconNakSessNoContext, 897 radiusDynAuthClientCoANakSessNoContext 898 } 899 STATUS current 900 DESCRIPTION 901 "The collection of objects supporting the RADIUS 902 messages that are referring to non existing sessions." 904 ::= { radiusDynAuthClientMIBGroups 3 } 906 END 908 5. Security Considerations 910 There are no management objects defined in this MIB module that have 911 a MAX-ACCESS clause of read-write and/or read-create. So, if this 912 MIB module is implemented correctly, then there is no risk that an 913 intruder can alter or create any management objects of this MIB 914 module via direct SNMP SET operations 916 Some of the readable objects in this MIB module (i.e., objects with a 917 MAX-ACCESS other than not-accessible) may be considered sensitive or 918 vulnerable in some network environments. It is thus important to 919 control even GET and/or NOTIFY access to these objects and possibly 920 to even encrypt the values of these objects when sending them over 921 the network via SNMP. These are the tables and objects and their 922 sensitivity/vulnerability: 924 radiusDynAuthServerAddress and radiusDynAuthServerAddressType 926 These can be used to determine the address of the DAS with which the 927 DAC is communicating. This information could be useful in mounting 928 an attack on the DAS. 930 radiusDynAuthServerID 932 This can be used to determine the Identifier of the DAS. This 933 information could be useful in impersonating the DAS. 935 radiusDynAuthServerClientPortNumber 937 This can be used to determine the destination port number to which 938 the DAC is sending. This information could be useful in mounting an 939 attack on the DAS. 941 SNMP versions prior to SNMPv3 did not include adequate security. 942 Even if the network itself is secure (for example by using IPsec), 943 even then, there is no control as to who on the secure network is 944 allowed to access and GET/SET (read/change/create/delete) the objects 945 in this MIB module. 947 It is RECOMMENDED that implementers consider the security features as 948 provided by the SNMPv3 framework (see [RFC3410], section 8), 949 including full support for the SNMPv3 cryptographic mechanisms (for 950 authentication and privacy). 952 Further, deployment of SNMP versions prior to SNMPv3 is NOT 953 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 954 enable cryptographic security. It is then a customer/operator 955 responsibility to ensure that the SNMP entity giving access to an 956 instance of this MIB module is properly configured to give access to 957 the objects only to those principals (users) that have legitimate 958 rights to indeed GET or SET (change/create/delete) them. 960 6. IANA considerations 962 IANA is requested to assign an OID under mib-2. 964 7. Acknowledgements 966 The authors would also like to acknowledge the following people for 967 their comments on this document: Bernard Aboba, Alan DeKok, David 968 Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg 969 Weber, Bert Wijnen and Glen Zorn. 971 8. References 973 8.1. Normative References 975 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 976 Requirement Levels", RFC 2119, March 1997. 978 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 979 Rose, M., and S. Waldbusser, "Structure of Management 980 Information Version 2 (SMIv2)", STD 58, RFC 2578, 981 April 1999. 983 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 984 Rose, M., and S. Waldbusser, "Textual Conventions for 985 SMIv2", STD 58, RFC 2579, April 1999. 987 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 988 Rose, M., and S. Waldbusser, "Conformance Statements for 989 SMIv2", STD 58, RFC 2580, April 1999. 991 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 992 Architecture for Describing Simple Network Management 993 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 994 December 2002. 996 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 997 Aboba, "Dynamic Authorization Extensions to Remote 998 Authentication Dial In User Service (RADIUS)", RFC 3576, 999 July 2003. 1001 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 1002 Network Addresses", RFC 4001, February 2005. 1004 8.2. Informative References 1006 [DYNSERV] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 1007 Authorization Server MIB", 1008 draft-ietf-radext-dynauth-server-mib-05.txt, work in 1009 progress, December 2005. 1011 [RFC2619bis] 1012 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 1013 draft-ietf-radext-rfc2619bis-01.txt work in progress, 1014 October 2005. 1016 [RFC2621bis] 1017 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 1018 draft-ietf-radext-rfc2621bis-01.txt work in progress, 1019 October 2005. 1021 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1022 "Remote Authentication Dial In User Service (RADIUS)", 1023 RFC 2865, June 2000. 1025 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1026 "Introduction and Applicability Statements for Internet- 1027 Standard Management Framework", RFC 3410, December 2002. 1029 Authors' Addresses 1031 Stefaan De Cnodder 1032 Alcatel 1033 Francis Wellesplein 1 1034 B-2018 Antwerp 1035 Belgium 1037 Phone: +32 3 240 85 15 1038 Email: stefaan.de_cnodder@alcatel.be 1040 Nagi Reddy Jonnala 1041 Cisco Systems, Inc. 1042 Divyasree Chambers, B Wing, O'Shaugnessy Road 1043 Bangalore-560027, India 1045 Phone: +91 94487 60828 1046 Email: njonnala@cisco.com 1048 Murtaza Chiba 1049 Cisco Systems, Inc. 1050 170 West Tasman Dr. 1051 San Jose CA, 95134 1053 Phone: +1 408 525 7198 1054 Email: mchiba@cisco.com 1056 Intellectual Property Statement 1058 The IETF takes no position regarding the validity or scope of any 1059 Intellectual Property Rights or other rights that might be claimed to 1060 pertain to the implementation or use of the technology described in 1061 this document or the extent to which any license under such rights 1062 might or might not be available; nor does it represent that it has 1063 made any independent effort to identify any such rights. Information 1064 on the procedures with respect to rights in RFC documents can be 1065 found in BCP 78 and BCP 79. 1067 Copies of IPR disclosures made to the IETF Secretariat and any 1068 assurances of licenses to be made available, or the result of an 1069 attempt made to obtain a general license or permission for the use of 1070 such proprietary rights by implementers or users of this 1071 specification can be obtained from the IETF on-line IPR repository at 1072 http://www.ietf.org/ipr. 1074 The IETF invites any interested party to bring to its attention any 1075 copyrights, patents or patent applications, or other proprietary 1076 rights that may cover technology that may be required to implement 1077 this standard. Please address the information to the IETF at 1078 ietf-ipr@ietf.org. 1080 Disclaimer of Validity 1082 This document and the information contained herein are provided on an 1083 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1084 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1085 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1086 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1087 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1088 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1090 Copyright Statement 1092 Copyright (C) The Internet Society (2006). This document is subject 1093 to the rights, licenses and restrictions contained in BCP 78, and 1094 except as set forth therein, the authors retain all their rights. 1096 Acknowledgment 1098 Funding for the RFC Editor function is currently provided by the 1099 Internet Society.