idnits 2.17.1 draft-ietf-radext-dynauth-server-mib-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 979. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 956. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 963. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 969. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC2865]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 3, 2006) is 6688 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DYNSERV' is mentioned on line 81, but not defined ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) == Outdated reference: A later version (-06) exists of draft-ietf-radext-dynauth-client-mib-03 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2618bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2620bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-01 Summary: 5 errors (**), 0 flaws (~~), 9 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: July 7, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 January 3, 2006 9 Dynamic Authorization Server MIB 10 draft-ietf-radext-dynauth-server-mib-03.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on July 7, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2006). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the Remote Authentication Dial In User 46 Service (RADIUS) [RFC2865] Dynamic Authorization Server (DAS) 47 functions that support the dynamic authorization extensions as 48 defined in RFC 3576. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. The Internet-Standard Management Framework . . . . . . . . . . 4 56 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4. RADIUS Dynamic Authorization Server MIB Definitions . . . . . 7 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 59 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 21 60 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 23 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 23 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 65 Intellectual Property and Copyright Statements . . . . . . . . . . 26 67 1. Introduction 69 This memo defines a portion of the Management Information Base (MIB) 70 for use with network management protocols in the Internet community. 71 It is becoming increasingly important to support Dynamic 72 Authorization extensions on the network access server (NAS) devices 73 to handle the Disconnect and Change-of-Authorization (CoA) messages 74 as described in [RFC3576]. As a result, the effective management of 75 RADIUS Dynamic Authorization entities is of considerable importance. 76 This RADIUS Dynamic Authorization Server (DAS) MIB complements the 77 managed objects used for managing RADIUS authentication and 78 accounting clients as described in [RFC2618bis] and [RFC2620bis], 79 respectively. 81 -- RFC Ed.: references [DYNSERV], [RFC2618bis], [RFC2619bis], 82 -- [RFC2620bis], and [RFC2621bis] should be replaced by 83 -- references to the corresponding RFC. 85 1.1. Requirements notation 87 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in [RFC2119]. 91 1.2. Terminology 93 Dynamic Authorization Server (DAS) 95 The component that resides on the NAS which processes the Disconnect 96 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 97 the Dynamic Authorization Client. 99 Dynamic Authorization Client (DAC) 101 The component which sends Disconnect and CoA-Request packets to the 102 Dynamic Authorization Server. While often residing on the RADIUS 103 server, it is also possible for this component to be located on a 104 separate host, such as a Rating Engine. 106 Dynamic Authorization Server Port 108 The UDP port on which the Dynamic Authorization Server listens for 109 the Disconnect and CoA requests sent by the Dynamic Authorization 110 Client. 112 2. The Internet-Standard Management Framework 114 For a detailed overview of the documents that describe the current 115 Internet-Standard Management Framework, please refer to section 7 of 116 [RFC3410]. 118 Managed objects are accessed via a virtual information store, termed 119 the Management Information Base or MIB. MIB objects are generally 120 accessed through the Simple Network Management Protocol (SNMP). 121 Objects in the MIB are defined using the mechanisms defined in the 122 Structure of Management Information (SMI). This memo specifies a MIB 123 module that is compliant to the SMIv2, which is described in STD 58, 124 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 125 [RFC2580]. 127 3. Overview 129 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 130 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 131 Request, CoA-ACK and CoA-NAK packets. Typically NAS devices 132 implement the DAS function, and thus would be expected to implement 133 the RADIUS Dynamic Authorization Server MIB, while DACs implement the 134 client function, and thus would be expected to implement the RADIUS 135 Dynamic Authorization Client MIB. 137 However, it is possible for a RADIUS Dynamic Authorization entity to 138 perform both client and server functions. For example, a RADIUS 139 proxy may act as a DAS to one or more DACs, while simultaneously 140 acting as a DAC to one or more DASs. In such situations, it is 141 expected that RADIUS entities combining client and server 142 functionality will support both the client and server MIBs. 144 This memo describes the MIB for Dynamic Authorization Servers and 145 relates to the following documents as follows: 147 [RFC2618bis] describes the MIB for a RADIUS Auth Client MIB. 149 [RFC2619bis] describes the MIB for a RADIUS Auth Server MIB. 151 [RFC2620bis] describes the MIB for a RADIUS Acct Client MIB. 153 [RFC2621bis] describes the MIB for a RADIUS Acct Server MIB. 155 [DYNCLNT] describes the MIB for a RADIUS Dynamic Authorization 156 Client. 158 A NAS typically implements the MIBs for a RADIUS Authentication 159 Client, a RADIUS accounting client, and a RADIUS Dynamic 160 Authorization Server. However, any one MIB can be implemented 161 without implementing any of the other MIBs, i.e. the MIBs have no 162 dependencies on each other. A typical case would be for a device to 163 implement the MIBs RADIUS authentication server, RADIUS accounting 164 server and RADIUS Dynamic Authorization Client. A RADIUS proxy might 165 implement any, all or a subset of the MIBs listed above and the MIB 166 as defined in this document. 168 +---------------+ +---------------+ 169 User 1----| | Disconnect-Request | | 170 | Dynamic | CoA-Request | Dynamic | 171 User 2----| Authorization |<---------------------| Authorization | 172 | Server |--------------------->| Client | 173 User 3----| (DAS) | Disconnect-Ack | (DAC) | 174 | | Disconnect-NAK | | 175 +---------------+ CoA-Ack/CoA-NAK +---------------+ 177 Figure 1: Mapping of clients and servers. 179 This MIB module for the Dynamic Authorization Server contains the 180 following: 182 1. Three scalar objects, and 184 2. One Dynamic Authorization Client Table. This table contains one 185 row for each DAC with which the DAS shares a secret. 187 4. RADIUS Dynamic Authorization Server MIB Definitions 189 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 191 IMPORTS 192 MODULE-IDENTITY, OBJECT-TYPE, 193 Counter32, Integer32, mib-2 FROM SNMPv2-SMI -- [RFC2578] 194 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 195 InetAddressType, 196 InetAddress FROM INET-ADDRESS-MIB -- [RFC4001] 197 MODULE-COMPLIANCE, 198 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 200 radiusDynAuthServerMIB MODULE-IDENTITY 201 LAST-UPDATED "200601030000Z" -- 3 January 2006 202 ORGANIZATION "IETF RADEXT Working Group" 203 CONTACT-INFO 204 " Stefaan De Cnodder 205 Alcatel 206 Francis Wellesplein 1 207 B-2018 Antwerp 208 Belgium 210 Phone: +32 3 240 85 15 211 EMail: stefaan.de_cnodder@alcatel.be 213 Nagi Reddy Jonnala 214 Cisco Systems, Inc. 215 Divyasree Chambers, B Wing, 216 O'Shaugnessy Road, 217 Bangalore-560027, India. 219 Phone: +91 98456 99445 220 EMail: njonnala@cisco.com 222 Murtaza Chiba 223 Cisco Systems, Inc. 224 170 West Tasman Dr. 225 San Jose CA, 95134 227 Phone: +1 408 525 7198 228 EMail: mchiba@cisco.com " 229 DESCRIPTION 230 "The MIB module for entities implementing the server 231 side of the Dynamic Authorization Extensions to Remote 232 Authentication Dial In User Service (RADIUS) protocol. 234 Copyright (C) The Internet Society (2005). Initial 235 version as published in RFC yyyy; 236 for full legal notices see the RFC itself. Supplementary 237 information may be available on 238 http://www.ietf.org/copyrights/ianamib.html." 239 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 241 REVISION "200601030000Z" -- 3 January 2006 242 DESCRIPTION "Initial version as published in RFC yyyy." 243 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 244 ::= { mib-2 xxx } 245 -- The value xxx to be assigned by IANA. 247 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 248 { radiusDynAuthServerMIB 1 } 250 radiusDynAuthServer OBJECT IDENTIFIER ::= 251 { radiusDynAuthServerMIBObjects 1 } 253 radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE 254 SYNTAX Counter32 255 MAX-ACCESS read-only 256 STATUS current 257 DESCRIPTION 258 "The number of Disconnect-Request packets received from 259 unknown addresses." 260 ::= { radiusDynAuthServer 1 } 262 radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE 263 SYNTAX Counter32 264 MAX-ACCESS read-only 265 STATUS current 266 DESCRIPTION 267 "The number of CoA-Request packets received from unknown 268 addresses." 269 ::= { radiusDynAuthServer 2 } 271 radiusDynAuthServerIdentifier OBJECT-TYPE 272 SYNTAX SnmpAdminString 273 MAX-ACCESS read-only 274 STATUS current 275 DESCRIPTION 276 "The NAS-Identifier of the RADIUS Dynamic Authorization 277 Server. This is not necessarily the same as sysName in 278 MIB II." 279 REFERENCE 280 "RFC 2865, Section 5.32, NAS-Identifier." 281 ::= { radiusDynAuthServer 3 } 283 radiusDynAuthClientTable OBJECT-TYPE 284 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 285 MAX-ACCESS not-accessible 286 STATUS current 287 DESCRIPTION 288 "The (conceptual) table listing the RADIUS Dynamic 289 Authorization Clients with which the server shares a 290 secret." 291 ::= { radiusDynAuthServer 4 } 293 radiusDynAuthClientEntry OBJECT-TYPE 294 SYNTAX RadiusDynAuthClientEntry 295 MAX-ACCESS not-accessible 296 STATUS current 297 DESCRIPTION 298 "An entry (conceptual row) representing one Dynamic 299 Authorization Client with which the server shares a 300 secret." 301 INDEX { radiusDynAuthClientIndex } 302 ::= { radiusDynAuthClientTable 1 } 304 RadiusDynAuthClientEntry ::= SEQUENCE { 305 radiusDynAuthClientIndex Integer32, 306 radiusDynAuthClientAddressType InetAddressType, 307 radiusDynAuthClientAddress InetAddress, 308 radiusDynAuthServDisconRequests Counter32, 309 radiusDynAuthServDisconAuthOnlyRequests Counter32, 310 radiusDynAuthServDupDisconRequests Counter32, 311 radiusDynAuthServDisconAcks Counter32, 312 radiusDynAuthServDisconNaks Counter32, 313 radiusDynAuthServDisconNakAuthOnlyRequests Counter32, 314 radiusDynAuthServDisconNakSessNoContext Counter32, 315 radiusDynAuthServDisconUserSessRemoved Counter32, 316 radiusDynAuthServMalformedDisconRequests Counter32, 317 radiusDynAuthServDisconBadAuthenticators Counter32, 318 radiusDynAuthServDisconPacketsDropped Counter32, 319 radiusDynAuthServCoARequests Counter32, 320 radiusDynAuthServCoAAuthOnlyRequests Counter32, 321 radiusDynAuthServDupCoARequests Counter32, 322 radiusDynAuthServCoAAcks Counter32, 323 radiusDynAuthServCoANaks Counter32, 324 radiusDynAuthServCoANakAuthOnlyRequests Counter32, 325 radiusDynAuthServCoANakSessNoContext Counter32, 326 radiusDynAuthServCoAUserSessChanged Counter32, 327 radiusDynAuthServMalformedCoARequests Counter32, 328 radiusDynAuthServCoABadAuthenticators Counter32, 329 radiusDynAuthServCoAPacketsDropped Counter32, 330 radiusDynAuthServUnknownTypes Counter32 332 } 334 radiusDynAuthClientIndex OBJECT-TYPE 335 SYNTAX Integer32 (1..2147483647) 336 MAX-ACCESS not-accessible 337 STATUS current 338 DESCRIPTION 339 "A number uniquely identifying each RADIUS Dynamic 340 Authorization Client with which this Dynamic 341 Authorization Server communicates. This number is 342 allocated by the agent implementing this MIB module, 343 and is unique in this context." 344 ::= { radiusDynAuthClientEntry 1 } 346 radiusDynAuthClientAddressType OBJECT-TYPE 347 SYNTAX InetAddressType 348 MAX-ACCESS read-only 349 STATUS current 350 DESCRIPTION 351 "The type of IP address of the RADIUS Dynamic 352 Authorization Client referred to in this table entry." 353 ::= { radiusDynAuthClientEntry 2 } 355 radiusDynAuthClientAddress OBJECT-TYPE 356 SYNTAX InetAddress 357 MAX-ACCESS read-only 358 STATUS current 359 DESCRIPTION 360 "The IP address value of the RADIUS Dynamic 361 Authorization Client referred to in this table entry, 362 using the version neutral IP address format." 363 ::= { radiusDynAuthClientEntry 3 } 365 radiusDynAuthServDisconRequests OBJECT-TYPE 366 SYNTAX Counter32 367 UNITS "requests" 368 MAX-ACCESS read-only 369 STATUS current 370 DESCRIPTION 371 "The number of RADIUS Disconnect-Requests received 372 from this Dynamic Authorization Client. This also 373 includes the RADIUS Disconnect-Requests that have a 374 Service-Type attribute with value 'Authorize Only'." 375 REFERENCE 376 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 377 ::= { radiusDynAuthClientEntry 4 } 379 radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE 380 SYNTAX Counter32 381 UNITS "requests" 382 MAX-ACCESS read-only 383 STATUS current 384 DESCRIPTION 385 "The number of RADIUS Disconnect-Requests that include 386 a Service-Type attribute with value 'Authorize Only' 387 received from this Dynamic Authorization Client." 388 REFERENCE 389 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 390 ::= { radiusDynAuthClientEntry 5 } 392 radiusDynAuthServDupDisconRequests OBJECT-TYPE 393 SYNTAX Counter32 394 UNITS "requests" 395 MAX-ACCESS read-only 396 STATUS current 397 DESCRIPTION 398 "The number of duplicate RADIUS Disconnect-Request 399 packets received from this Dynamic Authorization 400 Client." 401 REFERENCE 402 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 403 ::= { radiusDynAuthClientEntry 6 } 405 radiusDynAuthServDisconAcks OBJECT-TYPE 406 SYNTAX Counter32 407 UNITS "replies" 408 MAX-ACCESS read-only 409 STATUS current 410 DESCRIPTION 411 "The number of RADIUS Disconnect-ACK packets 412 sent to this Dynamic Authorization Client" 413 REFERENCE 414 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 415 ::= { radiusDynAuthClientEntry 7 } 417 radiusDynAuthServDisconNaks OBJECT-TYPE 418 SYNTAX Counter32 419 UNITS "replies" 420 MAX-ACCESS read-only 421 STATUS current 422 DESCRIPTION 423 "The number of RADIUS Disconnect-NAK packets 424 sent to this Dynamic Authorization Client. This 425 includes the RADIUS Disconnect-NAK packets sent 426 with a Service-Type attribute with value 'Authorize 427 Only' and the RADIUS Disconnect-NAK packets sent 428 because no session context was found." 429 REFERENCE 430 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 431 ::= { radiusDynAuthClientEntry 8 } 433 radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE 434 SYNTAX Counter32 435 UNITS "replies" 436 MAX-ACCESS read-only 437 STATUS current 438 DESCRIPTION 439 "The number of RADIUS Disconnect-NAK packets that 440 include a Service-Type attribute with value 441 'Authorize Only' sent to this Dynamic Authorization 442 Client." 443 REFERENCE 444 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 445 ::= { radiusDynAuthClientEntry 9 } 447 radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE 448 SYNTAX Counter32 449 UNITS "replies" 450 MAX-ACCESS read-only 451 STATUS current 452 DESCRIPTION 453 "The number of RADIUS Disconnect-NAK packets 454 sent to this Dynamic Authorization Client 455 because no session context was found." 456 REFERENCE 457 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 458 ::= { radiusDynAuthClientEntry 10 } 460 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 461 SYNTAX Counter32 462 UNITS "sessions" 463 MAX-ACCESS read-only 464 STATUS current 465 DESCRIPTION 466 "The number of user sessions removed for the 467 Disconnect-Requests received from this 468 Dynamic Authorization Client. Depending on site 469 specific policies, a single Disconnect request 470 can remove multiple user sessions. In the case 471 that this Dynamic Authorization Server has no 472 knowledge of the number of user sessions that 473 are affected by a single request, for each such 474 Disconnect-Request, it will count as a single 475 affected user session only." 476 REFERENCE 477 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 478 ::= { radiusDynAuthClientEntry 11 } 480 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 481 SYNTAX Counter32 482 UNITS "requests" 483 MAX-ACCESS read-only 484 STATUS current 485 DESCRIPTION 486 "The number of malformed RADIUS Disconnect-Request 487 packets received from this Dynamic Authorization 488 Client. Bad authenticators and unknown types are not 489 included as malformed Disconnect-Requests." 490 REFERENCE 491 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 492 Section 2.3, Packet Format." 493 ::= { radiusDynAuthClientEntry 12 } 495 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 496 SYNTAX Counter32 497 UNITS "requests" 498 MAX-ACCESS read-only 499 STATUS current 500 DESCRIPTION 501 "The number of RADIUS Disconnect-Request packets 502 which contained invalid Authenticator field 503 received from this Dynamic Authorization Client." 504 REFERENCE 505 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 506 Section 2.3, Packet Format." 507 ::= { radiusDynAuthClientEntry 13 } 509 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 510 SYNTAX Counter32 511 UNITS "requests" 512 MAX-ACCESS read-only 513 STATUS current 514 DESCRIPTION 515 "The number of incoming Disconnect-Requests 516 from this Dynamic Authorization Client silently 517 discarded by the server application for some reason 518 other than malformed, bad authenticators or unknown 519 types." 520 REFERENCE 521 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 522 Section 2.3, Packet Format." 524 ::= { radiusDynAuthClientEntry 14 } 526 radiusDynAuthServCoARequests OBJECT-TYPE 527 SYNTAX Counter32 528 UNITS "requests" 529 MAX-ACCESS read-only 530 STATUS current 531 DESCRIPTION 532 "The number of RADIUS CoA-requests received from this 533 Dynamic Authorization Client. This also includes 534 the CoA requests that have a Service-Type attribute 535 with value 'Authorize Only'." 536 REFERENCE 537 "RFC 3576, Section 2.2, Change-of-Authorization 538 Messages (CoA)." 539 ::= { radiusDynAuthClientEntry 15 } 541 radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE 542 SYNTAX Counter32 543 UNITS "requests" 544 MAX-ACCESS read-only 545 STATUS current 546 DESCRIPTION 547 "The number of RADIUS CoA-requests that include a 548 Service-Type attribute with value 'Authorize Only' 549 received from this Dynamic Authorization Client." 550 REFERENCE 551 "RFC 3576, Section 2.2, Change-of-Authorization 552 Messages (CoA)." 553 ::= { radiusDynAuthClientEntry 16 } 555 radiusDynAuthServDupCoARequests OBJECT-TYPE 556 SYNTAX Counter32 557 UNITS "requests" 558 MAX-ACCESS read-only 559 STATUS current 560 DESCRIPTION 561 "The number of duplicate RADIUS CoA-Request 562 packets received from this Dynamic Authorization 563 Client." 564 REFERENCE 565 "RFC 3576, Section 2.2, Change-of-Authorization 566 Messages (CoA)." 567 ::= { radiusDynAuthClientEntry 17 } 569 radiusDynAuthServCoAAcks OBJECT-TYPE 570 SYNTAX Counter32 571 UNITS "replies" 572 MAX-ACCESS read-only 573 STATUS current 574 DESCRIPTION 575 "The number of RADIUS CoA-ACK packets 576 sent to this Dynamic Authorization Client." 577 REFERENCE 578 "RFC 3576, Section 2.2, Change-of-Authorization 579 Messages (CoA)." 580 ::= { radiusDynAuthClientEntry 18 } 582 radiusDynAuthServCoANaks OBJECT-TYPE 583 SYNTAX Counter32 584 UNITS "replies" 585 MAX-ACCESS read-only 586 STATUS current 587 DESCRIPTION 588 "The number of RADIUS CoA-NAK packets sent to 589 this Dynamic Authorization Client. This includes 590 the RADIUS CoA-NAK packets sent with a Service-Type 591 attribute with value 'Authorize Only' and the RADIUS 592 CoA-NAK packets sent because no session context was 593 found." 594 REFERENCE 595 "RFC 3576, Section 2.2, Change-of-Authorization 596 Messages (CoA)." 597 ::= { radiusDynAuthClientEntry 19 } 599 radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE 600 SYNTAX Counter32 601 UNITS "replies" 602 MAX-ACCESS read-only 603 STATUS current 604 DESCRIPTION 605 "The number of RADIUS CoA-NAK packets that include a 606 Service-Type attribute with value 'Authorize Only' 607 sent to this Dynamic Authorization Client." 608 REFERENCE 609 "RFC 3576, Section 2.2, Change-of-Authorization 610 Messages (CoA)." 611 ::= { radiusDynAuthClientEntry 20 } 613 radiusDynAuthServCoANakSessNoContext OBJECT-TYPE 614 SYNTAX Counter32 615 UNITS "replies" 616 MAX-ACCESS read-only 617 STATUS current 618 DESCRIPTION 619 "The number of RADIUS CoA-NAK packets 620 sent to this Dynamic Authorization Client 621 because no session context was found." 622 REFERENCE 623 "RFC 3576, Section 2.2, Change-of-Authorization 624 Messages (CoA)." 625 ::= { radiusDynAuthClientEntry 21 } 627 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 628 SYNTAX Counter32 629 UNITS "sessions" 630 MAX-ACCESS read-only 631 STATUS current 632 DESCRIPTION 633 "The number of user sessions authorization 634 changed for the CoA-Requests received from this 635 Dynamic Authorization Client. Depending on site 636 specific policies, a single CoA request can change 637 multiple user sessions' authorization. In the case 638 this Dynamic Authorization Server has no knowledge of 639 the number of user sessions that are affected by a 640 single request, for each such CoA-Request, it will 641 count as a single affected user session only." 642 REFERENCE 643 "RFC 3576, Section 2.2, Change-of-Authorization 644 Messages (CoA)." 645 ::= { radiusDynAuthClientEntry 22 } 647 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 648 SYNTAX Counter32 649 UNITS "requests" 650 MAX-ACCESS read-only 651 STATUS current 652 DESCRIPTION 653 "The number of malformed RADIUS CoA-Request 654 packets received from this Dynamic Authorization 655 Client. Bad authenticators and unknown types are not 656 included as malformed CoA-Requests." 657 REFERENCE 658 "RFC 3576, Section 2.2, Change-of-Authorization 659 Messages (CoA), and Section 2.3, Packet Format." 660 ::= { radiusDynAuthClientEntry 23 } 662 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 663 SYNTAX Counter32 664 UNITS "requests" 665 MAX-ACCESS read-only 666 STATUS current 667 DESCRIPTION 668 "The number of RADIUS CoA-Request packets which 669 contained invalid Authenticator field received 670 from this Dynamic Authorization Client." 671 REFERENCE 672 "RFC 3576, Section 2.2, Change-of-Authorization 673 Messages (CoA), and Section 2.3, Packet Format." 674 ::= { radiusDynAuthClientEntry 24 } 676 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 677 SYNTAX Counter32 678 UNITS "requests" 679 MAX-ACCESS read-only 680 STATUS current 681 DESCRIPTION 682 "The number of incoming CoA packets from this 683 Dynamic Authorization Client silently discarded 684 by the server application for some reason other than 685 malformed, bad authenticators or unknown types." 686 REFERENCE 687 "RFC 3576, Section 2.2, Change-of-Authorization 688 Messages (CoA), and Section 2.3, Packet Format." 689 ::= { radiusDynAuthClientEntry 25 } 691 radiusDynAuthServUnknownTypes OBJECT-TYPE 692 SYNTAX Counter32 693 UNITS "requests" 694 MAX-ACCESS read-only 695 STATUS current 696 DESCRIPTION 697 "The number of incoming packets of unknown types 698 which were received on the Dynamic Authorization port." 699 REFERENCE 700 "RFC 3576, Section 2.3, Packet Format." 701 ::= { radiusDynAuthClientEntry 26 } 703 -- conformance information 705 radiusDynAuthServerMIBConformance 706 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 707 radiusDynAuthServerMIBCompliances 708 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 709 radiusDynAuthServerMIBGroups 710 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 712 -- compliance statements 714 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 715 STATUS current 716 DESCRIPTION 717 "The compliance statement for entities implementing 718 the RADIUS Dynamic Authorization Server." 719 MODULE -- this module 720 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 722 GROUP radiusDynAuthServerAuthOnlyGroup 723 DESCRIPTION 724 "Only required for Dynamic Authorization Clients that 725 are supporting Service-Type attributes with value 726 'Authorize-Only'." 728 GROUP radiusDynAuthServerNoSessGroup 729 DESCRIPTION 730 "This group is not required in case the Dynamic 731 Authorization Server can not easily determine whether 732 a session exists or not (e.g., in case of a RADIUS 733 proxy)." 735 ::= { radiusDynAuthServerMIBCompliances 1 } 737 -- units of conformance 739 radiusDynAuthServerMIBGroup OBJECT-GROUP 740 OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, 741 radiusDynAuthServerCoAInvalidClientAddresses, 742 radiusDynAuthServerIdentifier, 743 radiusDynAuthClientAddressType, 744 radiusDynAuthClientAddress, 745 radiusDynAuthServDisconRequests, 746 radiusDynAuthServDupDisconRequests, 747 radiusDynAuthServDisconAcks, 748 radiusDynAuthServDisconNaks, 749 radiusDynAuthServDisconUserSessRemoved, 750 radiusDynAuthServMalformedDisconRequests, 751 radiusDynAuthServDisconBadAuthenticators, 752 radiusDynAuthServDisconPacketsDropped, 753 radiusDynAuthServCoARequests, 754 radiusDynAuthServDupCoARequests, 755 radiusDynAuthServCoAAcks, 756 radiusDynAuthServCoANaks, 757 radiusDynAuthServCoAUserSessChanged, 758 radiusDynAuthServMalformedCoARequests, 759 radiusDynAuthServCoABadAuthenticators, 760 radiusDynAuthServCoAPacketsDropped, 761 radiusDynAuthServUnknownTypes 763 } 764 STATUS current 765 DESCRIPTION 766 "The collection of objects providing management of 767 a RADIUS Dynamic Authorization Server." 768 ::= { radiusDynAuthServerMIBGroups 1 } 770 radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP 771 OBJECTS { radiusDynAuthServDisconAuthOnlyRequests, 772 radiusDynAuthServDisconNakAuthOnlyRequests, 773 radiusDynAuthServCoAAuthOnlyRequests, 774 radiusDynAuthServCoANakAuthOnlyRequests 775 } 776 STATUS current 777 DESCRIPTION 778 "The collection of objects supporting the RADIUS 779 messages including Service-Type attribute with 780 value 'Authorize Only'." 781 ::= { radiusDynAuthServerMIBGroups 2 } 783 radiusDynAuthServerNoSessGroup OBJECT-GROUP 784 OBJECTS { radiusDynAuthServDisconNakSessNoContext, 785 radiusDynAuthServCoANakSessNoContext 786 } 787 STATUS current 788 DESCRIPTION 789 "The collection of objects supporting the RADIUS 790 messages that are referring to non existing sessions." 791 ::= { radiusDynAuthServerMIBGroups 3 } 793 END 795 5. Security Considerations 797 There are no management objects defined in this MIB module that have 798 a MAX-ACCESS clause of read-write and/or read-create. So, if this 799 MIB module is implemented correctly, then there is no risk that an 800 intruder can alter or create any management objects of this MIB 801 module via direct SNMP SET operations 803 Some of the readable objects in this MIB module (i.e., objects with a 804 MAX-ACCESS other than not-accessible) may be considered sensitive or 805 vulnerable in some network environments. It is thus important to 806 control even GET and/or NOTIFY access to these objects and possibly 807 to even encrypt the values of these objects when sending them over 808 the network via SNMP. These are the tables and objects and their 809 sensitivity/vulnerability: 811 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 813 These can be used to determine the address of the DAC with which the 814 DAS is communicating. This information could be useful in mounting 815 an attack on the DAC. 817 radiusDynAuthServerIdentifier 819 This can be used to determine the Identifier of the DAS. This 820 information could be useful in impersonating the DAS. 822 SNMP versions prior to SNMPv3 did not include adequate security. 823 Even if the network itself is secure (for example by using IPsec), 824 even then, there is no control as to who on the secure network is 825 allowed to access and GET/SET (read/change/create/delete) the objects 826 in this MIB module. 828 It is RECOMMENDED that implementers consider the security features as 829 provided by the SNMPv3 framework (see [RFC3410], section 8), 830 including full support for the SNMPv3 cryptographic mechanisms (for 831 authentication and privacy). 833 Further, deployment of SNMP versions prior to SNMPv3 is NOT 834 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 835 enable cryptographic security. It is then a customer/operator 836 responsibility to ensure that the SNMP entity giving access to an 837 instance of this MIB module is properly configured to give access to 838 the objects only to those principals (users) that have legitimate 839 rights to indeed GET or SET (change/create/delete) them. 841 6. IANA considerations 843 IANA is requested to assign an OID xxx under mib-2. 845 7. Acknowledgements 847 The authors would also like to acknowledge the following people for 848 their comments on this document: Bernard Aboba, Alan DeKok, David 849 Nelson, Anjaneyulu Pata, Dan Romascanu, Greg Weber, Bert Wijnen, and 850 Glen Zorn. 852 8. References 854 8.1. Normative References 856 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 857 Requirement Levels", RFC 2119, March 1997. 859 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 860 Rose, M., and S. Waldbusser, "Structure of Management 861 Information Version 2 (SMIv2)", STD 58, RFC 2578, 862 April 1999. 864 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 865 Rose, M., and S. Waldbusser, "Textual Conventions for 866 SMIv2", STD 58, RFC 2579, April 1999. 868 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 869 Rose, M., and S. Waldbusser, "Conformance Statements for 870 SMIv2", STD 58, RFC 2580, April 1999. 872 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 873 Architecture for Describing Simple Network Management 874 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 875 December 2002. 877 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 878 Aboba, "Dynamic Authorization Extensions to Remote 879 Authentication Dial In User Service (RADIUS)", RFC 3576, 880 July 2003. 882 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 883 Network Addresses", RFC 4001, February 2005. 885 8.2. Informative References 887 [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 888 Authorization Client MIB", 889 draft-ietf-radext-dynauth-client-mib-03.txt, work in 890 progress, December 2005. 892 [RFC2618bis] 893 Nelson, D., "RADIUS Auth Client MIB (IPv6)", 894 draft-ietf-radext-rfc2618bis-01.txt work in progress, 895 October 2005. 897 [RFC2619bis] 898 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 899 draft-ietf-radext-rfc2619bis-01.txt work in progress, 900 October 2005. 902 [RFC2620bis] 903 Nelson, D., "RADIUS Acct Client MIB (IPv6)", 904 draft-ietf-radext-rfc2620bis-01.txt work in progress, 905 October 2005. 907 [RFC2621bis] 908 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 909 draft-ietf-radext-rfc2621bis-01.txt work in progress, 910 October 2005. 912 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 913 "Remote Authentication Dial In User Service (RADIUS)", 914 RFC 2865, June 2000. 916 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 917 "Introduction and Applicability Statements for Internet- 918 Standard Management Framework", RFC 3410, December 2002. 920 Authors' Addresses 922 Stefaan De Cnodder 923 Alcatel 924 Francis Wellesplein 1 925 B-2018 Antwerp 926 Belgium 928 Phone: +32 3 240 85 15 929 Email: stefaan.de_cnodder@alcatel.be 931 Nagi Reddy Jonnala 932 Cisco Systems, Inc. 933 Divyasree Chambers, B Wing, O'Shaugnessy Road 934 Bangalore-560027, India 936 Phone: +91 98456 99445 937 Email: njonnala@cisco.com 939 Murtaza Chiba 940 Cisco Systems, Inc. 941 170 West Tasman Dr. 942 San Jose CA, 95134 944 Phone: +1 408 525 7198 945 Email: mchiba@cisco.com 947 Intellectual Property Statement 949 The IETF takes no position regarding the validity or scope of any 950 Intellectual Property Rights or other rights that might be claimed to 951 pertain to the implementation or use of the technology described in 952 this document or the extent to which any license under such rights 953 might or might not be available; nor does it represent that it has 954 made any independent effort to identify any such rights. Information 955 on the procedures with respect to rights in RFC documents can be 956 found in BCP 78 and BCP 79. 958 Copies of IPR disclosures made to the IETF Secretariat and any 959 assurances of licenses to be made available, or the result of an 960 attempt made to obtain a general license or permission for the use of 961 such proprietary rights by implementers or users of this 962 specification can be obtained from the IETF on-line IPR repository at 963 http://www.ietf.org/ipr. 965 The IETF invites any interested party to bring to its attention any 966 copyrights, patents or patent applications, or other proprietary 967 rights that may cover technology that may be required to implement 968 this standard. Please address the information to the IETF at 969 ietf-ipr@ietf.org. 971 Disclaimer of Validity 973 This document and the information contained herein are provided on an 974 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 975 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 976 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 977 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 978 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 979 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 981 Copyright Statement 983 Copyright (C) The Internet Society (2006). This document is subject 984 to the rights, licenses and restrictions contained in BCP 78, and 985 except as set forth therein, the authors retain all their rights. 987 Acknowledgment 989 Funding for the RFC Editor function is currently provided by the 990 Internet Society.