idnits 2.17.1 draft-ietf-radext-dynauth-server-mib-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1024. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1001. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1008. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1014. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 19, 2005) is 6754 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) == Outdated reference: A later version (-03) exists of draft-decnodder-radext-dynauth-client-mib-02 -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2618bis-00 -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-00 -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2620bis-00 -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-00 Summary: 4 errors (**), 0 flaws (~~), 8 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: April 22, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 October 19, 2005 9 Dynamic Authorization Server MIB 10 draft-ietf-radext-dynauth-server-mib-02.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on April 22, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2005). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the RADIUS Dynamic Authorization Server 46 (DAS) functions that support the dynamic authorization extensions as 47 defined in RFC 3576. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 53 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. The Internet-Standard Management Framework . . . . . . . . . . 4 55 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 4. RADIUS Dynamic Authorization Server MIB Definitions . . . . . 7 57 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 58 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 22 59 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23 60 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 61 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 62 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 64 Intellectual Property and Copyright Statements . . . . . . . . . . 27 66 1. Introduction 68 This memo defines a portion of the Management Information Base (MIB) 69 for use with network management protocols in the Internet community. 70 It is becoming increasingly important to support Dynamic 71 Authorization extensions on the network access server (NAS) devices 72 to handle the Disconnect and Change-of-Authorization (CoA) messages 73 as described in [RFC3576] . As a result, the effective management of 74 RADIUS Dynamic Authorization entities is of considerable importance. 75 This RADIUS Dynamic Authorization Server (DAS) MIB complements the 76 managed objects used for managing RADIUS authentication and 77 accounting clients as described in [RFC2618] and [RFC2620], 78 respectively. The corresponding version neutral IP address MIBs 79 [RFC2618bis] and [RFC2620bis] will obsolete (if approved) [RFC2618] 80 and [RFC2620]. 82 1.1. Requirements notation 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in [RFC2119]. 88 1.2. Terminology 90 Dynamic Authorization Server (DAS) 92 The component that resides on the NAS which processes the Disconnect 93 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 94 the Dynamic Authorization Client. 96 Dynamic Authorization Client (DAC) 98 The component which sends Disconnect and CoA-Request packets to the 99 Dynamic Authorization Server. While often residing on the RADIUS 100 server, it is also possible for this component to be located on a 101 separate host, such as a Rating Engine. 103 Dynamic Authorization Server Port 105 The UDP port on which the Dynamic Authorization Server listens for 106 the Disconnect and CoA requests sent by the Dynamic Authorization 107 Client. 109 2. The Internet-Standard Management Framework 111 For a detailed overview of the documents that describe the current 112 Internet-Standard Management Framework, please refer to section 7 of 113 [RFC3410]. 115 Managed objects are accessed via a virtual information store, termed 116 the Management Information Base or MIB. MIB objects are generally 117 accessed through the Simple Network Management Protocol (SNMP). 118 Objects in the MIB are defined using the mechanisms defined in the 119 Structure of Management Information (SMI). This memo specifies a MIB 120 module that is compliant to the SMIv2, which is described in STD 58, 121 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 122 [RFC2580]. 124 3. Overview 126 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 127 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 128 Request, CoA-ACK and CoA-NAK packets. Typically NAS devices 129 implement the DAS function, and thus would be expected to implement 130 the RADIUS Dynamic Authorization Server MIB, while DACs implement the 131 client function, and thus would be expected to implement the RADIUS 132 Dynamic Authorization Client MIB. 134 However, it is possible for a RADIUS Dynamic Authorization entity to 135 perform both client and server functions. For example, a RADIUS 136 proxy may act as a DAS to one or more DACs, while simultaneously 137 acting as a DAC to one or more DASs. In such situations, it is 138 expected that RADIUS entities combining client and server 139 functionality will support both the client and server MIBs. 141 This memo describes the MIB for Dynamic Authorization Servers and 142 relates to the following documents as follows: 144 [RFC2618] describes the MIB for a RADIUS Authentication Client. 146 [RFC2619] describes the MIB for a RADIUS Authentication Server. 148 [RFC2620] describes the MIB for a RADIUS Accounting Client. 150 [RFC2621] describes the MIB for a RADIUS Accounting Server. 152 The above MIBs support IPv4-only address format. The following MIBs 153 support version neutral IP address formats and (if approved) obsolete 154 the respective MIBs mentioned above. 156 [RFC2618bis] describes the MIB for a RADIUS Auth Client MIB (IPv6). 158 [RFC2619bis] describes the MIB for a RADIUS Auth Server MIB (IPv6). 160 [RFC2620bis] describes the MIB for a RADIUS Acct Client MIB (IPv6). 162 [RFC2621bis] describes the MIB for a RADIUS Acct Server MIB (IPv6). 164 [DYNCLNT] describes the MIB for a RADIUS Dynamic Authorization 165 Client. 167 A NAS typically implements the MIBs for a RADIUS Authentication 168 Client, a RADIUS accounting client, and a RADIUS Dynamic 169 Authorization Server. However, there is not strict relationship 170 between these three MIBs, i.e. one MIB can be implemented without 171 implementing the other MIBs. Similarly, for the other 3 MIBs 172 mentioned above, a typical case would be where the MIBs for a RADIUS 173 authentication server, a RADIUS accounting server, and a RADIUS 174 Dynamic Authorization Client are implemented by the same device. 175 However, also for these 3 MIBs, they can be implemented independent 176 from each other. A RADIUS proxy might implement any of these 6 MIBs, 177 but can also implement any subset of these MIBs. 179 +---------------+ +---------------+ 180 User 1----| | Disconnect-Request | | 181 | Dynamic | CoA-Request | Dynamic | 182 User 2----| Authorization |<---------------------| Authorization | 183 | Server |--------------------->| Client | 184 User 3----| (DAS) | Disconnect-Ack | (DAC) | 185 | | Disconnect-NAK | | 186 +---------------+ CoA-Ack/CoA-NAK +---------------+ 188 Figure 1: Mapping of clients and servers. 190 This MIB module for the Dynamic Authorization Server contains the 191 following: 193 1. Three scalar objects. 195 2. One Dynamic Authorization Client Table. This table contains one 196 row for each DAC with which the DAS shares a secret. 198 4. RADIUS Dynamic Authorization Server MIB Definitions 200 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 202 IMPORTS 203 MODULE-IDENTITY, OBJECT-TYPE, 204 Counter32, Integer32, mib-2 FROM SNMPv2-SMI -- [RFC2578] 205 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 206 InetAddressType, 207 InetAddress FROM INET-ADDRESS-MIB -- [RFC4001] 208 MODULE-COMPLIANCE, 209 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 211 radiusDynAuthServerMIB MODULE-IDENTITY 212 LAST-UPDATED "200510160000Z" -- 16 October 2005 213 ORGANIZATION "IETF RADEXT Working Group" 214 CONTACT-INFO 215 " Stefaan De Cnodder 216 Alcatel 217 Francis Wellesplein 1 218 B-2018 Antwerp 219 Belgium 221 Phone: +32 3 240 85 15 222 EMail: stefaan.de_cnodder@alcatel.be 224 Nagi Reddy Jonnala 225 Cisco Systems, Inc. 226 Divyasree Chambers, B Wing, 227 O'Shaugnessy Road, 228 Bangalore-560027, India. 230 Phone: +91 98456 99445 231 EMail: njonnala@cisco.com 233 Murtaza Chiba 234 Cisco Systems, Inc. 235 170 West Tasman Dr. 236 San Jose CA, 95134 238 Phone: +1 408 525 7198 239 EMail: mchiba@cisco.com " 240 DESCRIPTION 241 "The MIB module for entities implementing the server 242 side of the Dynamic Authorization extensions Remote 243 Access Dialin User Service (RADIUS) protocol. 245 Copyright (C) The Internet Society (2005). This initial 246 version of this MIB module was published in RFC yyyy; 247 for full legal notices see the RFC itself. Supplementary 248 information may be available on 249 http://www.ietf.org/copyrights/ianamib.html." 250 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 252 REVISION "200510160000Z" -- 16 October 2005 253 DESCRIPTION "Initial version as published in RFC yyyy." 254 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 255 ::= { mib-2 xxx } 256 -- The value xxx to be assigned by IANA. 258 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 259 { radiusDynAuthServerMIB 1 } 261 radiusDynAuthServer OBJECT IDENTIFIER ::= 262 { radiusDynAuthServerMIBObjects 1 } 264 radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE 265 SYNTAX Counter32 266 MAX-ACCESS read-only 267 STATUS current 268 DESCRIPTION 269 "The number of Disconnect messages received from unknown 270 addresses." 271 ::= { radiusDynAuthServer 1 } 273 radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE 274 SYNTAX Counter32 275 MAX-ACCESS read-only 276 STATUS current 277 DESCRIPTION 278 "The number of CoA messages received from unknown 279 addresses." 280 ::= { radiusDynAuthServer 2 } 282 radiusDynAuthServerIdentifier OBJECT-TYPE 283 SYNTAX SnmpAdminString 284 MAX-ACCESS read-only 285 STATUS current 286 DESCRIPTION 287 "The NAS-Identifier of the RADIUS Dynamic Authorization 288 Server." 289 REFERENCE 290 "RFC 2865, Section 5.32, NAS-Identifier." 291 ::= { radiusDynAuthServer 3 } 293 radiusDynAuthClientTable OBJECT-TYPE 294 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 295 MAX-ACCESS not-accessible 296 STATUS current 297 DESCRIPTION 298 "The (conceptual) table listing the RADIUS Dynamic 299 Authorization Clients with which the server shares a 300 secret." 301 ::= { radiusDynAuthServer 4 } 303 radiusDynAuthClientEntry OBJECT-TYPE 304 SYNTAX RadiusDynAuthClientEntry 305 MAX-ACCESS not-accessible 306 STATUS current 307 DESCRIPTION 308 "An entry (conceptual row) representing one Dynamic 309 Authorization Client with which the server shares a 310 secret." 311 INDEX { radiusDynAuthClientIndex } 312 ::= { radiusDynAuthClientTable 1 } 314 RadiusDynAuthClientEntry ::= SEQUENCE { 315 radiusDynAuthClientIndex Integer32, 316 radiusDynAuthClientAddressType InetAddressType, 317 radiusDynAuthClientAddress InetAddress, 318 radiusDynAuthServDisconRequests Counter32, 319 radiusDynAuthServDisconAuthOnlyRequests Counter32, 320 radiusDynAuthServDupDisconRequests Counter32, 321 radiusDynAuthServDisconAcks Counter32, 322 radiusDynAuthServDisconNaks Counter32, 323 radiusDynAuthServDisconNakAuthOnlyRequests Counter32, 324 radiusDynAuthServDisconNakSessNoContext Counter32, 325 radiusDynAuthServDisconUserSessRemoved Counter32, 326 radiusDynAuthServMalformedDisconRequests Counter32, 327 radiusDynAuthServDisconBadAuthenticators Counter32, 328 radiusDynAuthServDisconPacketsDropped Counter32, 329 radiusDynAuthServCoARequests Counter32, 330 radiusDynAuthServCoAAuthOnlyRequests Counter32, 331 radiusDynAuthServDupCoARequests Counter32, 332 radiusDynAuthServCoAAcks Counter32, 333 radiusDynAuthServCoANaks Counter32, 334 radiusDynAuthServCoANakAuthOnlyRequests Counter32, 335 radiusDynAuthServCoANakSessNoContext Counter32, 336 radiusDynAuthServCoAUserSessChanged Counter32, 337 radiusDynAuthServMalformedCoARequests Counter32, 338 radiusDynAuthServCoABadAuthenticators Counter32, 339 radiusDynAuthServCoAPacketsDropped Counter32, 340 radiusDynAuthServUnknownTypes Counter32 341 } 342 radiusDynAuthClientIndex OBJECT-TYPE 343 SYNTAX Integer32 (1..2147483647) 344 MAX-ACCESS not-accessible 345 STATUS current 346 DESCRIPTION 347 "A number uniquely identifying each RADIUS Dynamic 348 Authorization Client with which this Dynamic 349 Authorization Server communicates. This number is 350 allocated by the agent implementing this MIB module, 351 and is unique in this context." 352 ::= { radiusDynAuthClientEntry 1 } 354 radiusDynAuthClientAddressType OBJECT-TYPE 355 SYNTAX InetAddressType 356 MAX-ACCESS read-only 357 STATUS current 358 DESCRIPTION 359 "The type of IP-Address of the RADIUS Dynamic 360 Authorization Client referred to in this table entry." 361 ::= { radiusDynAuthClientEntry 2 } 363 radiusDynAuthClientAddress OBJECT-TYPE 364 SYNTAX InetAddress 365 MAX-ACCESS read-only 366 STATUS current 367 DESCRIPTION 368 "The IP-Address value of the RADIUS Dynamic 369 Authorization Client referred to in this table entry." 370 ::= { radiusDynAuthClientEntry 3 } 372 radiusDynAuthServDisconRequests OBJECT-TYPE 373 SYNTAX Counter32 374 UNITS "requests" 375 MAX-ACCESS read-only 376 STATUS current 377 DESCRIPTION 378 "The number of RADIUS Disconnect-Requests received 379 from this Dynamic Authorization Client. This includes 380 the RADIUS Disconnect-Requests that have a 381 Service-Type attribute with value 'Authorize Only'." 382 REFERENCE 383 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 384 ::= { radiusDynAuthClientEntry 4 } 386 radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE 387 SYNTAX Counter32 388 UNITS "requests" 389 MAX-ACCESS read-only 390 STATUS current 391 DESCRIPTION 392 "The number of RADIUS Disconnect-Requests including a 393 Service-Type attribute with value 'Autorize Only' 394 received from this Dynamic Authorization Client." 395 REFERENCE 396 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 397 ::= { radiusDynAuthClientEntry 5 } 399 radiusDynAuthServDupDisconRequests OBJECT-TYPE 400 SYNTAX Counter32 401 UNITS "requests" 402 MAX-ACCESS read-only 403 STATUS current 404 DESCRIPTION 405 "The number of duplicate RADIUS Disconnect-Request 406 packets received from this Dynamic Authorization 407 Client." 408 REFERENCE 409 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 410 ::= { radiusDynAuthClientEntry 6 } 412 radiusDynAuthServDisconAcks OBJECT-TYPE 413 SYNTAX Counter32 414 UNITS "replies" 415 MAX-ACCESS read-only 416 STATUS current 417 DESCRIPTION 418 "The number of RADIUS Disconnect-ACK packets 419 sent to this Dynamic Authorization Client" 420 REFERENCE 421 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 422 ::= { radiusDynAuthClientEntry 7 } 424 radiusDynAuthServDisconNaks OBJECT-TYPE 425 SYNTAX Counter32 426 UNITS "replies" 427 MAX-ACCESS read-only 428 STATUS current 429 DESCRIPTION 430 "The number of RADIUS Disconnect-NAK packets 431 sent to this Dynamic Authorization Client. This 432 includes the RADIUS Disconnect-NAK packets sent 433 with a Service-Type attribute with value 'Authorize 434 Only' and the RADIUS Disconnect-NAK packets sent 435 because no session context was found." 436 REFERENCE 437 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 439 ::= { radiusDynAuthClientEntry 8 } 441 radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE 442 SYNTAX Counter32 443 UNITS "replies" 444 MAX-ACCESS read-only 445 STATUS current 446 DESCRIPTION 447 "The number of RADIUS Disconnect-NAK packets 448 including a Service-Type attribute with value 449 'Autorize Only' sent to this Dynamic Authorization 450 Client." 451 REFERENCE 452 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 453 ::= { radiusDynAuthClientEntry 9 } 455 radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE 456 SYNTAX Counter32 457 UNITS "replies" 458 MAX-ACCESS read-only 459 STATUS current 460 DESCRIPTION 461 "The number of RADIUS Disconnect-NAK packets 462 sent to this Dynamic Authorization Client 463 because no session context was found." 464 REFERENCE 465 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 466 ::= { radiusDynAuthClientEntry 10 } 468 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 469 SYNTAX Counter32 470 UNITS "sessions" 471 MAX-ACCESS read-only 472 STATUS current 473 DESCRIPTION 474 "The number of user sessions removed for the 475 Disconnect-Requests received from this 476 Dynamic Authorization Client. Depending on site 477 specific policies, a single Disconnect request 478 can remove multiple user sessions. In the case this 479 Dynamic Authorization Server has no knowledge of 480 the number of user sessions that are affected, then 481 it counts a single user session for each such 482 Disconnect-Request." 483 REFERENCE 484 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 485 ::= { radiusDynAuthClientEntry 11 } 487 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 488 SYNTAX Counter32 489 UNITS "requests" 490 MAX-ACCESS read-only 491 STATUS current 492 DESCRIPTION 493 "The number of malformed RADIUS Disconnect-Request 494 packets received from this Dynamic Authorization 495 Client. Bad authenticators and unknown types are not 496 included as malformed Disconnect-Requests." 497 REFERENCE 498 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 499 Section 2.3, Packet Format." 500 ::= { radiusDynAuthClientEntry 12 } 502 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 503 SYNTAX Counter32 504 UNITS "requests" 505 MAX-ACCESS read-only 506 STATUS current 507 DESCRIPTION 508 "The number of RADIUS Disconnect-Request packets 509 which contained invalid Authenticator field 510 received from this Dynamic Authorization Client." 511 REFERENCE 512 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 513 Section 2.3, Packet Format." 514 ::= { radiusDynAuthClientEntry 13 } 516 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 517 SYNTAX Counter32 518 UNITS "requests" 519 MAX-ACCESS read-only 520 STATUS current 521 DESCRIPTION 522 "The number of incoming Disconnect-Requests 523 from this Dynamic Authorization Client silently 524 discarded by the server application for some reason 525 other than malformed, bad authenticators or unknown 526 types." 527 REFERENCE 528 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 529 Section 2.3, Packet Format." 530 ::= { radiusDynAuthClientEntry 14 } 532 radiusDynAuthServCoARequests OBJECT-TYPE 533 SYNTAX Counter32 534 UNITS "requests" 535 MAX-ACCESS read-only 536 STATUS current 537 DESCRIPTION 538 "The number of RADIUS CoA-requests received from this 539 Dynamic Authorization Client. This includes 540 the CoA requests that have a Service-Type attribute 541 with value 'Authorize Only'." 542 REFERENCE 543 "RFC 3576, Section 2.2, Change-of-Authorization 544 Messages (CoA)." 545 ::= { radiusDynAuthClientEntry 15 } 547 radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE 548 SYNTAX Counter32 549 UNITS "requests" 550 MAX-ACCESS read-only 551 STATUS current 552 DESCRIPTION 553 "The number of RADIUS CoA-requests including a 554 Service-Type attribute with value 'Autorize Only' 555 received from this Dynamic Authorization Client." 556 REFERENCE 557 "RFC 3576, Section 2.2, Change-of-Authorization 558 Messages (CoA)." 559 ::= { radiusDynAuthClientEntry 16 } 561 radiusDynAuthServDupCoARequests OBJECT-TYPE 562 SYNTAX Counter32 563 UNITS "requests" 564 MAX-ACCESS read-only 565 STATUS current 566 DESCRIPTION 567 "The number of duplicate RADIUS CoA-Request 568 packets received from this Dynamic Authorization 569 Client." 570 REFERENCE 571 "RFC 3576, Section 2.2, Change-of-Authorization 572 Messages (CoA)." 573 ::= { radiusDynAuthClientEntry 17 } 575 radiusDynAuthServCoAAcks OBJECT-TYPE 576 SYNTAX Counter32 577 UNITS "replies" 578 MAX-ACCESS read-only 579 STATUS current 580 DESCRIPTION 581 "The number of RADIUS CoA-ACK packets 582 sent to this Dynamic Authorization Client." 583 REFERENCE 584 "RFC 3576, Section 2.2, Change-of-Authorization 585 Messages (CoA)." 586 ::= { radiusDynAuthClientEntry 18 } 588 radiusDynAuthServCoANaks OBJECT-TYPE 589 SYNTAX Counter32 590 UNITS "replies" 591 MAX-ACCESS read-only 592 STATUS current 593 DESCRIPTION 594 "The number of RADIUS CoA-NAK packets sent to 595 this Dynamic Authorization Client. This includes 596 the RADIUS CoA-NAK packets sent with a Service-Type 597 attribute with value 'Authorize Only' and the RADIUS 598 CoA-NAK packets sent because no session context was 599 found." 600 REFERENCE 601 "RFC 3576, Section 2.2, Change-of-Authorization 602 Messages (CoA)." 603 ::= { radiusDynAuthClientEntry 19 } 605 radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE 606 SYNTAX Counter32 607 UNITS "replies" 608 MAX-ACCESS read-only 609 STATUS current 610 DESCRIPTION 611 "The number of RADIUS CoA-NAK packets including a 612 Service-Type attribute with value 'Autorize Only' 613 sent to this Dynamic Authorization Client." 614 REFERENCE 615 "RFC 3576, Section 2.2, Change-of-Authorization 616 Messages (CoA)." 617 ::= { radiusDynAuthClientEntry 20 } 619 radiusDynAuthServCoANakSessNoContext OBJECT-TYPE 620 SYNTAX Counter32 621 UNITS "replies" 622 MAX-ACCESS read-only 623 STATUS current 624 DESCRIPTION 625 "The number of RADIUS CoA-NAK packets 626 sent to this Dynamic Authorization Client 627 because no session context was found." 628 REFERENCE 629 "RFC 3576, Section 2.2, Change-of-Authorization 630 Messages (CoA)." 631 ::= { radiusDynAuthClientEntry 21 } 633 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 634 SYNTAX Counter32 635 UNITS "sessions" 636 MAX-ACCESS read-only 637 STATUS current 638 DESCRIPTION 639 "The number of user sessions authorization 640 changed for the CoA-Requests received from this 641 Dynamic Authorization Client. Depending on site 642 specific policies, a single CoA request can change 643 multiple user sessions' authorization. In the case 644 this Dynamic Authorization Server has no knowledge of 645 the number of user sessions that are affected, then 646 it counts a single user session for each such 647 CoA-Request." 648 REFERENCE 649 "RFC 3576, Section 2.2, Change-of-Authorization 650 Messages (CoA)." 651 ::= { radiusDynAuthClientEntry 22 } 653 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 654 SYNTAX Counter32 655 UNITS "requests" 656 MAX-ACCESS read-only 657 STATUS current 658 DESCRIPTION 659 "The number of malformed RADIUS CoA-Request 660 packets received from this Dynamic Authorization 661 Client. Bad authenticators and unknown types are not 662 included as malformed CoA-Requests." 663 REFERENCE 664 "RFC 3576, Section 2.2, Change-of-Authorization 665 Messages (CoA), and Section 2.3, Packet Format." 666 ::= { radiusDynAuthClientEntry 23 } 668 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 669 SYNTAX Counter32 670 UNITS "requests" 671 MAX-ACCESS read-only 672 STATUS current 673 DESCRIPTION 674 "The number of RADIUS CoA-Request packets which 675 contained invalid Authenticator field received 676 from this Dynamic Authorization Client." 677 REFERENCE 678 "RFC 3576, Section 2.2, Change-of-Authorization 679 Messages (CoA), and Section 2.3, Packet Format." 680 ::= { radiusDynAuthClientEntry 24 } 682 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 683 SYNTAX Counter32 684 UNITS "requests" 685 MAX-ACCESS read-only 686 STATUS current 687 DESCRIPTION 688 "The number of incoming CoA packets from this 689 Dynamic Authorization Client silently discarded 690 by the server application for some reason other than 691 malformed, bad authenticators or unknown types." 692 REFERENCE 693 "RFC 3576, Section 2.2, Change-of-Authorization 694 Messages (CoA), and Section 2.3, Packet Format." 695 ::= { radiusDynAuthClientEntry 25 } 697 radiusDynAuthServUnknownTypes OBJECT-TYPE 698 SYNTAX Counter32 699 UNITS "requests" 700 MAX-ACCESS read-only 701 STATUS current 702 DESCRIPTION 703 "The number of incoming packets of unknown types 704 which were received on the Dynamic Authorization port." 705 REFERENCE 706 "RFC 3576, Section 2.3, Packet Format." 707 ::= { radiusDynAuthClientEntry 26 } 709 -- conformance information 711 radiusDynAuthServerMIBConformance 712 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 713 radiusDynAuthServerMIBCompliances 714 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 715 radiusDynAuthServerMIBGroups 716 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 718 -- compliance statements 720 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 721 STATUS current 722 DESCRIPTION 723 "The compliance statement for entities implementing 724 the RADIUS Dynamic Authorization Server." 725 MODULE -- this module 726 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 728 GROUP radiusDynAuthServerAuthOnlyGroup 729 DESCRIPTION 730 "Only required for Dynamic Authorization Clients that 731 are supporting Service-Type attributes with value 732 'Authorize-Only'." 734 GROUP radiusDynAuthServerNoSessGroup 735 DESCRIPTION 736 "This group is not required in case the Dynamic 737 Authorization Server can not easily determine whether 738 a session exists or not (e.g., in case of a RADIUS 739 proxy)." 741 ::= { radiusDynAuthServerMIBCompliances 1 } 743 -- units of conformance 745 radiusDynAuthServerMIBGroup OBJECT-GROUP 746 OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, 747 radiusDynAuthServerCoAInvalidClientAddresses, 748 radiusDynAuthServerIdentifier, 749 radiusDynAuthClientAddressType, 750 radiusDynAuthClientAddress, 751 radiusDynAuthServDisconRequests, 752 radiusDynAuthServDupDisconRequests, 753 radiusDynAuthServDisconAcks, 754 radiusDynAuthServDisconNaks, 755 radiusDynAuthServDisconUserSessRemoved, 756 radiusDynAuthServMalformedDisconRequests, 757 radiusDynAuthServDisconBadAuthenticators, 758 radiusDynAuthServDisconPacketsDropped, 759 radiusDynAuthServCoARequests, 760 radiusDynAuthServDupCoARequests, 761 radiusDynAuthServCoAAcks, 762 radiusDynAuthServCoANaks, 763 radiusDynAuthServCoAUserSessChanged, 764 radiusDynAuthServMalformedCoARequests, 765 radiusDynAuthServCoABadAuthenticators, 766 radiusDynAuthServCoAPacketsDropped, 767 radiusDynAuthServUnknownTypes 768 } 769 STATUS current 770 DESCRIPTION 771 "The collection of objects providing management of 772 a RADIUS Dynamic Authorization Server." 774 ::= { radiusDynAuthServerMIBGroups 1 } 776 radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP 777 OBJECTS { radiusDynAuthServDisconAuthOnlyRequests, 778 radiusDynAuthServDisconNakAuthOnlyRequests, 779 radiusDynAuthServCoAAuthOnlyRequests, 780 radiusDynAuthServCoANakAuthOnlyRequests 781 } 782 STATUS current 783 DESCRIPTION 784 "The collection of objects supporting the RADIUS 785 messages including Service-Type attribute with 786 value 'Autorize Only'." 787 ::= { radiusDynAuthServerMIBGroups 2 } 789 radiusDynAuthServerNoSessGroup OBJECT-GROUP 790 OBJECTS { radiusDynAuthServDisconNakSessNoContext, 791 radiusDynAuthServCoANakSessNoContext 792 } 793 STATUS current 794 DESCRIPTION 795 "The collection of objects supporting the RADIUS 796 messages that are referring to non existing sessions." 797 ::= { radiusDynAuthServerMIBGroups 3 } 799 END 801 5. Security Considerations 803 There are no management objects defined in this MIB module that have 804 a MAX-ACCESS clause of read-write and/or read-create. So, if this 805 MIB module is implemented correctly, then there is no risk that an 806 intruder can alter or create any management objects of this MIB 807 module via direct SNMP SET operations 809 Some of the readable objects in this MIB module (i.e., objects with a 810 MAX-ACCESS other than not-accessible) may be considered sensitive or 811 vulnerable in some network environments. It is thus important to 812 control even GET and/or NOTIFY access to these objects and possibly 813 to even encrypt the values of these objects when sending them over 814 the network via SNMP. These are the tables and objects and their 815 sensitivity/vulnerability: 817 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 819 These can be used to determine the address of the DAC with which the 820 DAS is communicating. This information could be useful in mounting 821 an attack on the DAC. 823 radiusDynAuthServerIdentifier 825 This can be used to determine the Identifier of the DAS. This 826 information could be useful in impersonating the DAS. 828 The other readable objects are not really considered as being 829 sensitive or vulnerable. These objects are: 831 radiusDynAuthServerDisconInvalidClientAddresses, 832 radiusDynAuthServerCoAInvalidClientAddresses, 833 radiusDynAuthServDisconRequests, 834 radiusDynAuthServDisconAuthOnlyRequests, 835 radiusDynAuthServDupDisconRequests, 836 radiusDynAuthServDisconAcks, 837 radiusDynAuthServDisconNaks, 838 radiusDynAuthServDisconNakAuthOnlyRequests, 839 radiusDynAuthServDisconNakSessNoContext, 840 radiusDynAuthServDisconUserSessRemoved, 841 radiusDynAuthServMalformedDisconRequests, 842 radiusDynAuthServDisconBadAuthenticators, 843 radiusDynAuthServDisconPacketsDropped, 844 radiusDynAuthServCoARequests, 845 radiusDynAuthServCoAAuthOnlyRequests, 846 radiusDynAuthServDupCoARequests, 847 radiusDynAuthServCoAAcks, 848 radiusDynAuthServCoANaks, 849 radiusDynAuthServCoANakAuthOnlyRequests, 850 radiusDynAuthServCoANakSessNoContext, 851 radiusDynAuthServCoAUserSessChanged, 852 radiusDynAuthServMalformedCoARequests, 853 radiusDynAuthServCoABadAuthenticators, 854 radiusDynAuthServCoAPacketsDropped, and 855 radiusDynAuthServUnknownTypes. 857 SNMP versions prior to SNMPv3 did not include adequate security. 858 Even if the network itself is secure (for example by using IPSec), 859 even then, there is no control as to who on the secure network is 860 allowed to access and GET/SET (read/change/create/delete) the objects 861 in this MIB module. 863 It is RECOMMENDED that implementers consider the security features as 864 provided by the SNMPv3 framework (see [RFC3410], section 8), 865 including full support for the SNMPv3 cryptographic mechanisms (for 866 authentication and privacy). 868 Further, deployment of SNMP versions prior to SNMPv3 is NOT 869 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 870 enable cryptographic security. It is then a customer/operator 871 responsibility to ensure that the SNMP entity giving access to an 872 instance of this MIB module is properly configured to give access to 873 the objects only to those principals (users) that have legitimate 874 rights to indeed GET or SET (change/create/delete) them. 876 6. IANA considerations 878 IANA is requested to assign an OID xxx under mib-2. 880 7. Acknowledgements 882 This document reuses some of the work done in earlier RADIUS MIB 883 specifications [RFC2618] and [RFC2620]. 885 The authors would also like to acknowledge the following people for 886 their comments to this document: Anjaneyulu Pata, Dan Romascanu, Bert 887 Wijnen, Bernard Aboba, David Nelson, Greg Weber and Glen Zorn. 889 8. References 891 8.1. Normative References 893 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 894 Requirement Levels", RFC 2119, March 1997. 896 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 897 Rose, M., and S. Waldbusser, "Structure of Management 898 Information Version 2 (SMIv2)", STD 58, RFC 2578, 899 April 1999. 901 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 902 Rose, M., and S. Waldbusser, "Textual Conventions for 903 SMIv2", STD 58, RFC 2579, April 1999. 905 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 906 Rose, M., and S. Waldbusser, "Conformance Statements for 907 SMIv2", STD 58, RFC 2580, April 1999. 909 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 910 Architecture for Describing Simple Network Management 911 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 912 December 2002. 914 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 915 Aboba, "Dynamic Authorization Extensions to Remote 916 Authentication Dial In User Service (RADIUS)", RFC 3576, 917 July 2003. 919 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 920 Network Addresses", RFC 4001, February 2005. 922 8.2. Informative References 924 [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 925 Authorization Client MIB", 926 draft-decnodder-radext-dynauth-client-mib-02.txt, work in 927 progress, September 2005. 929 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 930 RFC 2618, June 1999. 932 [RFC2618bis] 933 Nelson, D., "RADIUS Auth Client MIB (IPv6)", 934 draft-ietf-radext-rfc2618bis-00.txt work in progress, 935 August 2005. 937 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 938 RFC 2619, June 1999. 940 [RFC2619bis] 941 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 942 draft-ietf-radext-rfc2619bis-00.txt work in progress, 943 August 2005. 945 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 946 RFC 2620, June 1999. 948 [RFC2620bis] 949 Nelson, D., "RADIUS Acct Client MIB (IPv6)", 950 draft-ietf-radext-rfc2620bis-00.txt work in progress, 951 August 2005. 953 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 954 RFC 2621, June 1999. 956 [RFC2621bis] 957 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 958 draft-ietf-radext-rfc2621bis-00.txt work in progress, 959 August 2005. 961 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 962 "Introduction and Applicability Statements for Internet 963 Standard Management Framework", RFC 3410, December 2002. 965 Authors' Addresses 967 Stefaan De Cnodder 968 Alcatel 969 Francis Wellesplein 1 970 B-2018 Antwerp 971 Belgium 973 Phone: +32 3 240 85 15 974 Email: stefaan.de_cnodder@alcatel.be 976 Nagi Reddy Jonnala 977 Cisco Systems, Inc. 978 Divyasree Chambers, B Wing, O'Shaugnessy Road 979 Bangalore-560027, India 981 Phone: +91 98456 99445 982 Email: njonnala@cisco.com 984 Murtaza Chiba 985 Cisco Systems, Inc. 986 170 West Tasman Dr. 987 San Jose CA, 95134 989 Phone: +1 408 525 7198 990 Email: mchiba@cisco.com 992 Intellectual Property Statement 994 The IETF takes no position regarding the validity or scope of any 995 Intellectual Property Rights or other rights that might be claimed to 996 pertain to the implementation or use of the technology described in 997 this document or the extent to which any license under such rights 998 might or might not be available; nor does it represent that it has 999 made any independent effort to identify any such rights. Information 1000 on the procedures with respect to rights in RFC documents can be 1001 found in BCP 78 and BCP 79. 1003 Copies of IPR disclosures made to the IETF Secretariat and any 1004 assurances of licenses to be made available, or the result of an 1005 attempt made to obtain a general license or permission for the use of 1006 such proprietary rights by implementers or users of this 1007 specification can be obtained from the IETF on-line IPR repository at 1008 http://www.ietf.org/ipr. 1010 The IETF invites any interested party to bring to its attention any 1011 copyrights, patents or patent applications, or other proprietary 1012 rights that may cover technology that may be required to implement 1013 this standard. Please address the information to the IETF at 1014 ietf-ipr@ietf.org. 1016 Disclaimer of Validity 1018 This document and the information contained herein are provided on an 1019 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1020 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1021 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1022 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1023 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1024 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1026 Copyright Statement 1028 Copyright (C) The Internet Society (2005). This document is subject 1029 to the rights, licenses and restrictions contained in BCP 78, and 1030 except as set forth therein, the authors retain all their rights. 1032 Acknowledgment 1034 Funding for the RFC Editor function is currently provided by the 1035 Internet Society.