idnits 2.17.1 draft-ietf-radext-dynauth-server-mib-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1019. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 996. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1003. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1009. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC2865]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 13, 2006) is 6612 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DYNSERV' is mentioned on line 81, but not defined ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) == Outdated reference: A later version (-06) exists of draft-ietf-radext-dynauth-client-mib-03 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2618bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2620bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-01 Summary: 5 errors (**), 0 flaws (~~), 9 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: September 14, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 March 13, 2006 9 Dynamic Authorization Server MIB 10 draft-ietf-radext-dynauth-server-mib-04.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on September 14, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2006). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the Remote Authentication Dial In User 46 Service (RADIUS) [RFC2865] Dynamic Authorization Server (DAS) 47 functions that support the dynamic authorization extensions as 48 defined in RFC 3576. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. The Internet-Standard Management Framework . . . . . . . . . . 4 56 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4. RADIUS Dynamic Authorization Server MIB Definitions . . . . . 7 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 21 59 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 22 60 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 24 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 24 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 65 Intellectual Property and Copyright Statements . . . . . . . . . . 27 67 1. Introduction 69 This memo defines a portion of the Management Information Base (MIB) 70 for use with network management protocols in the Internet community. 71 It is becoming increasingly important to support Dynamic 72 Authorization extensions on the network access server (NAS) devices 73 to handle the Disconnect and Change-of-Authorization (CoA) messages 74 as described in [RFC3576]. As a result, the effective management of 75 RADIUS Dynamic Authorization entities is of considerable importance. 76 This RADIUS Dynamic Authorization Server (DAS) MIB complements the 77 managed objects used for managing RADIUS authentication and 78 accounting clients as described in [RFC2618bis] and [RFC2620bis], 79 respectively. 81 -- RFC Ed.: references [DYNSERV], [RFC2618bis], [RFC2619bis], 82 -- [RFC2620bis], and [RFC2621bis] should be replaced by 83 -- references to the corresponding RFC. 85 1.1. Requirements notation 87 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in [RFC2119]. 91 1.2. Terminology 93 Dynamic Authorization Server (DAS) 95 The component that resides on the NAS which processes the Disconnect 96 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 97 the Dynamic Authorization Client. 99 Dynamic Authorization Client (DAC) 101 The component which sends Disconnect and CoA-Request packets to the 102 Dynamic Authorization Server. While often residing on the RADIUS 103 server, it is also possible for this component to be located on a 104 separate host, such as a Rating Engine. 106 Dynamic Authorization Server Port 108 The UDP port on which the Dynamic Authorization Server listens for 109 the Disconnect and CoA requests sent by the Dynamic Authorization 110 Client. 112 2. The Internet-Standard Management Framework 114 For a detailed overview of the documents that describe the current 115 Internet-Standard Management Framework, please refer to section 7 of 116 [RFC3410]. 118 Managed objects are accessed via a virtual information store, termed 119 the Management Information Base or MIB. MIB objects are generally 120 accessed through the Simple Network Management Protocol (SNMP). 121 Objects in the MIB are defined using the mechanisms defined in the 122 Structure of Management Information (SMI). This memo specifies a MIB 123 module that is compliant to the SMIv2, which is described in STD 58, 124 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 125 [RFC2580]. 127 3. Overview 129 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 130 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 131 Request, CoA-ACK and CoA-NAK packets. Typically NAS devices 132 implement the DAS function, and thus would be expected to implement 133 the RADIUS Dynamic Authorization Server MIB, while DACs implement the 134 client function, and thus would be expected to implement the RADIUS 135 Dynamic Authorization Client MIB. 137 However, it is possible for a RADIUS Dynamic Authorization entity to 138 perform both client and server functions. For example, a RADIUS 139 proxy may act as a DAS to one or more DACs, while simultaneously 140 acting as a DAC to one or more DASs. In such situations, it is 141 expected that RADIUS entities combining client and server 142 functionality will support both the client and server MIBs. 144 This memo describes the MIB for Dynamic Authorization Servers and 145 relates to the following documents as follows: 147 [RFC2618bis] describes the MIB for a RADIUS Auth Client MIB. 149 [RFC2619bis] describes the MIB for a RADIUS Auth Server MIB. 151 [RFC2620bis] describes the MIB for a RADIUS Acct Client MIB. 153 [RFC2621bis] describes the MIB for a RADIUS Acct Server MIB. 155 [DYNCLNT] describes the MIB for a RADIUS Dynamic Authorization 156 Client. 158 A NAS typically implements the MIBs for a RADIUS Authentication 159 Client, a RADIUS accounting client, and a RADIUS Dynamic 160 Authorization Server. However, any one MIB can be implemented 161 without implementing any of the other MIBs, i.e. the MIBs have no 162 dependencies on each other. A typical case would be for a device to 163 implement the MIBs RADIUS authentication server, RADIUS accounting 164 server and RADIUS Dynamic Authorization Client. A RADIUS proxy might 165 implement any, all or a subset of the MIBs listed above and the MIB 166 as defined in this document. 168 +---------------+ +---------------+ 169 User 1----| | Disconnect-Request | | 170 | Dynamic | CoA-Request | Dynamic | 171 User 2----| Authorization |<---------------------| Authorization | 172 | Server |--------------------->| Client | 173 User 3----| (DAS) | Disconnect-Ack | (DAC) | 174 | | Disconnect-NAK | | 175 +---------------+ CoA-Ack/CoA-NAK +---------------+ 177 Figure 1: Mapping of clients and servers. 179 This MIB module for the Dynamic Authorization Server contains the 180 following: 182 1. Three scalar objects, and 184 2. One Dynamic Authorization Client Table. This table contains one 185 row for each DAC with which the DAS shares a secret. 187 4. RADIUS Dynamic Authorization Server MIB Definitions 189 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 191 IMPORTS 192 MODULE-IDENTITY, OBJECT-TYPE, 193 Counter32, Integer32, mib-2 FROM SNMPv2-SMI -- [RFC2578] 194 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 195 InetAddressType, 196 InetAddress FROM INET-ADDRESS-MIB -- [RFC4001] 197 MODULE-COMPLIANCE, 198 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 200 radiusDynAuthServerMIB MODULE-IDENTITY 201 LAST-UPDATED "200603100000Z" -- 10 March 2006 202 ORGANIZATION "IETF RADEXT Working Group" 203 CONTACT-INFO 204 " Stefaan De Cnodder 205 Alcatel 206 Francis Wellesplein 1 207 B-2018 Antwerp 208 Belgium 210 Phone: +32 3 240 85 15 211 EMail: stefaan.de_cnodder@alcatel.be 213 Nagi Reddy Jonnala 214 Cisco Systems, Inc. 215 Divyasree Chambers, B Wing, 216 O'Shaugnessy Road, 217 Bangalore-560027, India. 219 Phone: +91 98456 99445 220 EMail: njonnala@cisco.com 222 Murtaza Chiba 223 Cisco Systems, Inc. 224 170 West Tasman Dr. 225 San Jose CA, 95134 227 Phone: +1 408 525 7198 228 EMail: mchiba@cisco.com " 229 DESCRIPTION 230 "The MIB module for entities implementing the server 231 side of the Dynamic Authorization Extensions to Remote 232 Authentication Dial In User Service (RADIUS) protocol. 234 Copyright (C) The Internet Society (2006). Initial 235 version as published in RFC yyyy; 236 for full legal notices see the RFC its" 237 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 239 REVISION "200603100000Z" -- 10 March 2006 240 DESCRIPTION "Initial version as published in RFC yyyy." 241 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 242 ::= { mib-2 xxx } 243 -- The value xxx to be assigned by IANA. 245 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 246 { radiusDynAuthServerMIB 1 } 248 radiusDynAuthServerScalars OBJECT IDENTIFIER ::= 249 { radiusDynAuthServerMIBObjects 1 } 251 radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE 252 SYNTAX Counter32 253 MAX-ACCESS read-only 254 STATUS current 255 DESCRIPTION 256 "The number of Disconnect-Request packets received from 257 unknown addresses. This counter wraps from the maximum 258 value to zero and is reset upon system 259 (re)initialization." 260 ::= { radiusDynAuthServerScalars 1 } 262 radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE 263 SYNTAX Counter32 264 MAX-ACCESS read-only 265 STATUS current 266 DESCRIPTION 267 "The number of CoA-Request packets received from unknown 268 addresses. This counter wraps from the maximum value to 269 zero and is reset upon system (re)initialization." 270 ::= { radiusDynAuthServerScalars 2 } 272 radiusDynAuthServerIdentifier OBJECT-TYPE 273 SYNTAX SnmpAdminString 274 MAX-ACCESS read-only 275 STATUS current 276 DESCRIPTION 277 "The NAS-Identifier of the RADIUS Dynamic Authorization 278 Server. This is not necessarily the same as sysName in 279 MIB II." 280 REFERENCE 281 "RFC 2865, Section 5.32, NAS-Identifier." 282 ::= { radiusDynAuthServerScalars 3 } 284 radiusDynAuthClientTable OBJECT-TYPE 285 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 286 MAX-ACCESS not-accessible 287 STATUS current 288 DESCRIPTION 289 "The (conceptual) table listing the RADIUS Dynamic 290 Authorization Clients with which the server shares a 291 secret." 292 ::= { radiusDynAuthServerMIBObjects 2 } 294 radiusDynAuthClientEntry OBJECT-TYPE 295 SYNTAX RadiusDynAuthClientEntry 296 MAX-ACCESS not-accessible 297 STATUS current 298 DESCRIPTION 299 "An entry (conceptual row) representing one Dynamic 300 Authorization Client with which the server shares a 301 secret." 302 INDEX { radiusDynAuthClientIndex } 303 ::= { radiusDynAuthClientTable 1 } 305 RadiusDynAuthClientEntry ::= SEQUENCE { 306 radiusDynAuthClientIndex Integer32, 307 radiusDynAuthClientAddressType InetAddressType, 308 radiusDynAuthClientAddress InetAddress, 309 radiusDynAuthServDisconRequests Counter32, 310 radiusDynAuthServDisconAuthOnlyRequests Counter32, 311 radiusDynAuthServDupDisconRequests Counter32, 312 radiusDynAuthServDisconAcks Counter32, 313 radiusDynAuthServDisconNaks Counter32, 314 radiusDynAuthServDisconNakAuthOnlyRequests Counter32, 315 radiusDynAuthServDisconNakSessNoContext Counter32, 316 radiusDynAuthServDisconUserSessRemoved Counter32, 317 radiusDynAuthServMalformedDisconRequests Counter32, 318 radiusDynAuthServDisconBadAuthenticators Counter32, 319 radiusDynAuthServDisconPacketsDropped Counter32, 320 radiusDynAuthServCoARequests Counter32, 321 radiusDynAuthServCoAAuthOnlyRequests Counter32, 322 radiusDynAuthServDupCoARequests Counter32, 323 radiusDynAuthServCoAAcks Counter32, 324 radiusDynAuthServCoANaks Counter32, 325 radiusDynAuthServCoANakAuthOnlyRequests Counter32, 326 radiusDynAuthServCoANakSessNoContext Counter32, 327 radiusDynAuthServCoAUserSessChanged Counter32, 328 radiusDynAuthServMalformedCoARequests Counter32, 329 radiusDynAuthServCoABadAuthenticators Counter32, 330 radiusDynAuthServCoAPacketsDropped Counter32, 331 radiusDynAuthServUnknownTypes Counter32 333 } 335 radiusDynAuthClientIndex OBJECT-TYPE 336 SYNTAX Integer32 (1..2147483647) 337 MAX-ACCESS not-accessible 338 STATUS current 339 DESCRIPTION 340 "A number uniquely identifying each RADIUS Dynamic 341 Authorization Client with which this Dynamic 342 Authorization Server communicates. This number is 343 allocated by the agent implementing this MIB module, 344 and is unique in this context." 345 ::= { radiusDynAuthClientEntry 1 } 347 radiusDynAuthClientAddressType OBJECT-TYPE 348 SYNTAX InetAddressType 349 MAX-ACCESS read-only 350 STATUS current 351 DESCRIPTION 352 "The type of IP address of the RADIUS Dynamic 353 Authorization Client referred to in this table entry." 354 ::= { radiusDynAuthClientEntry 2 } 356 radiusDynAuthClientAddress OBJECT-TYPE 357 SYNTAX InetAddress 358 MAX-ACCESS read-only 359 STATUS current 360 DESCRIPTION 361 "The IP address value of the RADIUS Dynamic 362 Authorization Client referred to in this table entry, 363 using the version neutral IP address format." 364 ::= { radiusDynAuthClientEntry 3 } 366 radiusDynAuthServDisconRequests OBJECT-TYPE 367 SYNTAX Counter32 368 UNITS "requests" 369 MAX-ACCESS read-only 370 STATUS current 371 DESCRIPTION 372 "The number of RADIUS Disconnect-Requests received 373 from this Dynamic Authorization Client. This also 374 includes the RADIUS Disconnect-Requests that have a 375 Service-Type attribute with value 'Authorize Only'. 376 This counter wraps from the maximum value to zero and 377 is reset upon system (re)initialization." 378 REFERENCE 379 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 381 ::= { radiusDynAuthClientEntry 4 } 383 radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE 384 SYNTAX Counter32 385 UNITS "requests" 386 MAX-ACCESS read-only 387 STATUS current 388 DESCRIPTION 389 "The number of RADIUS Disconnect-Requests that include 390 a Service-Type attribute with value 'Authorize Only' 391 received from this Dynamic Authorization Client. This 392 counter wraps from the maximum value to zero and is 393 reset upon system (re)initialization." 394 REFERENCE 395 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 396 ::= { radiusDynAuthClientEntry 5 } 398 radiusDynAuthServDupDisconRequests OBJECT-TYPE 399 SYNTAX Counter32 400 UNITS "requests" 401 MAX-ACCESS read-only 402 STATUS current 403 DESCRIPTION 404 "The number of duplicate RADIUS Disconnect-Request 405 packets received from this Dynamic Authorization 406 Client. This counter wraps from the maximum value to 407 zero and is reset upon system (re)initialization." 408 REFERENCE 409 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 410 ::= { radiusDynAuthClientEntry 6 } 412 radiusDynAuthServDisconAcks OBJECT-TYPE 413 SYNTAX Counter32 414 UNITS "replies" 415 MAX-ACCESS read-only 416 STATUS current 417 DESCRIPTION 418 "The number of RADIUS Disconnect-ACK packets sent to 419 this Dynamic Authorization Client. This counter wraps 420 from the maximum value to zero and is reset upon system 421 (re)initialization." 422 REFERENCE 423 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 424 ::= { radiusDynAuthClientEntry 7 } 426 radiusDynAuthServDisconNaks OBJECT-TYPE 427 SYNTAX Counter32 428 UNITS "replies" 429 MAX-ACCESS read-only 430 STATUS current 431 DESCRIPTION 432 "The number of RADIUS Disconnect-NAK packets 433 sent to this Dynamic Authorization Client. This 434 includes the RADIUS Disconnect-NAK packets sent 435 with a Service-Type attribute with value 'Authorize 436 Only' and the RADIUS Disconnect-NAK packets sent 437 because no session context was found. This counter 438 wraps from the maximum value to zero and is reset 439 upon system (re)initialization." 440 REFERENCE 441 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 442 ::= { radiusDynAuthClientEntry 8 } 444 radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE 445 SYNTAX Counter32 446 UNITS "replies" 447 MAX-ACCESS read-only 448 STATUS current 449 DESCRIPTION 450 "The number of RADIUS Disconnect-NAK packets that 451 include a Service-Type attribute with value 452 'Authorize Only' sent to this Dynamic Authorization 453 Client. This counter wraps from the maximum value to 454 zero and is reset upon system (re)initialization." 455 REFERENCE 456 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 457 ::= { radiusDynAuthClientEntry 9 } 459 radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE 460 SYNTAX Counter32 461 UNITS "replies" 462 MAX-ACCESS read-only 463 STATUS current 464 DESCRIPTION 465 "The number of RADIUS Disconnect-NAK packets 466 sent to this Dynamic Authorization Client 467 because no session context was found. This counter 468 wraps from the maximum value to zero and is reset 469 upon system (re)initialization." 470 REFERENCE 471 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 472 ::= { radiusDynAuthClientEntry 10 } 474 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 475 SYNTAX Counter32 476 UNITS "sessions" 477 MAX-ACCESS read-only 478 STATUS current 479 DESCRIPTION 480 "The number of user sessions removed for the 481 Disconnect-Requests received from this 482 Dynamic Authorization Client. Depending on site 483 specific policies, a single Disconnect request 484 can remove multiple user sessions. In the case 485 that this Dynamic Authorization Server has no 486 knowledge of the number of user sessions that 487 are affected by a single request, for each such 488 Disconnect-Request, it will count as a single 489 affected user session only. This counter wraps from 490 the maximum value to zero and is reset upon system 491 (re)initialization." 492 REFERENCE 493 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 494 ::= { radiusDynAuthClientEntry 11 } 496 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 497 SYNTAX Counter32 498 UNITS "requests" 499 MAX-ACCESS read-only 500 STATUS current 501 DESCRIPTION 502 "The number of malformed RADIUS Disconnect-Request 503 packets received from this Dynamic Authorization 504 Client. Bad authenticators and unknown types are not 505 included as malformed Disconnect-Requests. This counter 506 wraps from the maximum value to zero and is reset upon 507 system (re)initialization." 508 REFERENCE 509 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 510 Section 2.3, Packet Format." 511 ::= { radiusDynAuthClientEntry 12 } 513 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 514 SYNTAX Counter32 515 UNITS "requests" 516 MAX-ACCESS read-only 517 STATUS current 518 DESCRIPTION 519 "The number of RADIUS Disconnect-Request packets 520 which contained invalid Authenticator field 521 received from this Dynamic Authorization Client. This 522 counter wraps from the maximum value to zero and is 523 reset upon system (re)initialization." 524 REFERENCE 525 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 526 Section 2.3, Packet Format." 527 ::= { radiusDynAuthClientEntry 13 } 529 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 530 SYNTAX Counter32 531 UNITS "requests" 532 MAX-ACCESS read-only 533 STATUS current 534 DESCRIPTION 535 "The number of incoming Disconnect-Requests 536 from this Dynamic Authorization Client silently 537 discarded by the server application for some reason 538 other than malformed, bad authenticators or unknown 539 types. This counter wraps from the maximum value to 540 zero and is reset upon system (re)initialization." 541 REFERENCE 542 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 543 Section 2.3, Packet Format." 544 ::= { radiusDynAuthClientEntry 14 } 546 radiusDynAuthServCoARequests OBJECT-TYPE 547 SYNTAX Counter32 548 UNITS "requests" 549 MAX-ACCESS read-only 550 STATUS current 551 DESCRIPTION 552 "The number of RADIUS CoA-requests received from this 553 Dynamic Authorization Client. This also includes 554 the CoA requests that have a Service-Type attribute 555 with value 'Authorize Only'. This counter wraps from 556 the maximum value to zero and is reset upon system 557 (re)initialization." 558 REFERENCE 559 "RFC 3576, Section 2.2, Change-of-Authorization 560 Messages (CoA)." 561 ::= { radiusDynAuthClientEntry 15 } 563 radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE 564 SYNTAX Counter32 565 UNITS "requests" 566 MAX-ACCESS read-only 567 STATUS current 568 DESCRIPTION 569 "The number of RADIUS CoA-requests that include a 570 Service-Type attribute with value 'Authorize Only' 571 received from this Dynamic Authorization Client. This 572 counter wraps from the maximum value to zero and is 573 reset upon system (re)initialization." 574 REFERENCE 575 "RFC 3576, Section 2.2, Change-of-Authorization 576 Messages (CoA)." 577 ::= { radiusDynAuthClientEntry 16 } 579 radiusDynAuthServDupCoARequests OBJECT-TYPE 580 SYNTAX Counter32 581 UNITS "requests" 582 MAX-ACCESS read-only 583 STATUS current 584 DESCRIPTION 585 "The number of duplicate RADIUS CoA-Request packets 586 received from this Dynamic Authorization Client. This 587 counter wraps from the maximum value to zero and is 588 reset upon system (re)initialization." 589 REFERENCE 590 "RFC 3576, Section 2.2, Change-of-Authorization 591 Messages (CoA)." 592 ::= { radiusDynAuthClientEntry 17 } 594 radiusDynAuthServCoAAcks OBJECT-TYPE 595 SYNTAX Counter32 596 UNITS "replies" 597 MAX-ACCESS read-only 598 STATUS current 599 DESCRIPTION 600 "The number of RADIUS CoA-ACK packets sent to this 601 Dynamic Authorization Client. This counter wraps from 602 the maximum value to zero and is reset upon system 603 (re)initialization." 604 REFERENCE 605 "RFC 3576, Section 2.2, Change-of-Authorization 606 Messages (CoA)." 607 ::= { radiusDynAuthClientEntry 18 } 609 radiusDynAuthServCoANaks OBJECT-TYPE 610 SYNTAX Counter32 611 UNITS "replies" 612 MAX-ACCESS read-only 613 STATUS current 614 DESCRIPTION 615 "The number of RADIUS CoA-NAK packets sent to 616 this Dynamic Authorization Client. This includes 617 the RADIUS CoA-NAK packets sent with a Service-Type 618 attribute with value 'Authorize Only' and the RADIUS 619 CoA-NAK packets sent because no session context was 620 found. This counter wraps from the maximum value to 621 zero and is reset upon system (re)initialization." 622 REFERENCE 623 "RFC 3576, Section 2.2, Change-of-Authorization 624 Messages (CoA)." 625 ::= { radiusDynAuthClientEntry 19 } 627 radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE 628 SYNTAX Counter32 629 UNITS "replies" 630 MAX-ACCESS read-only 631 STATUS current 632 DESCRIPTION 633 "The number of RADIUS CoA-NAK packets that include a 634 Service-Type attribute with value 'Authorize Only' 635 sent to this Dynamic Authorization Client. This counter 636 wraps from the maximum value to zero and is reset upon 637 system (re)initialization." 638 REFERENCE 639 "RFC 3576, Section 2.2, Change-of-Authorization 640 Messages (CoA)." 641 ::= { radiusDynAuthClientEntry 20 } 643 radiusDynAuthServCoANakSessNoContext OBJECT-TYPE 644 SYNTAX Counter32 645 UNITS "replies" 646 MAX-ACCESS read-only 647 STATUS current 648 DESCRIPTION 649 "The number of RADIUS CoA-NAK packets sent to this 650 Dynamic Authorization Client because no session context 651 was found. This counter wraps from the maximum value to 652 zero and is reset upon system (re)initialization." 653 REFERENCE 654 "RFC 3576, Section 2.2, Change-of-Authorization 655 Messages (CoA)." 656 ::= { radiusDynAuthClientEntry 21 } 658 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 659 SYNTAX Counter32 660 UNITS "sessions" 661 MAX-ACCESS read-only 662 STATUS current 663 DESCRIPTION 664 "The number of user sessions authorization 665 changed for the CoA-Requests received from this 666 Dynamic Authorization Client. Depending on site 667 specific policies, a single CoA request can change 668 multiple user sessions' authorization. In the case 669 this Dynamic Authorization Server has no knowledge of 670 the number of user sessions that are affected by a 671 single request, for each such CoA-Request, it will 672 count as a single affected user session only. This 673 counter wraps from the maximum value to zero and is 674 reset upon system (re)initialization." 675 REFERENCE 676 "RFC 3576, Section 2.2, Change-of-Authorization 677 Messages (CoA)." 678 ::= { radiusDynAuthClientEntry 22 } 680 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 681 SYNTAX Counter32 682 UNITS "requests" 683 MAX-ACCESS read-only 684 STATUS current 685 DESCRIPTION 686 "The number of malformed RADIUS CoA-Request packets 687 received from this Dynamic Authorization Client. Bad 688 authenticators and unknown types are not included as 689 malformed CoA-Requests. This counter wraps from the 690 maximum value to zero and is reset upon system 691 (re)initialization." 692 REFERENCE 693 "RFC 3576, Section 2.2, Change-of-Authorization 694 Messages (CoA), and Section 2.3, Packet Format." 695 ::= { radiusDynAuthClientEntry 23 } 697 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 698 SYNTAX Counter32 699 UNITS "requests" 700 MAX-ACCESS read-only 701 STATUS current 702 DESCRIPTION 703 "The number of RADIUS CoA-Request packets which 704 contained invalid Authenticator field received 705 from this Dynamic Authorization Client. This counter 706 wraps from the maximum value to zero and is reset 707 upon system (re)initialization." 708 REFERENCE 709 "RFC 3576, Section 2.2, Change-of-Authorization 710 Messages (CoA), and Section 2.3, Packet Format." 711 ::= { radiusDynAuthClientEntry 24 } 713 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 714 SYNTAX Counter32 715 UNITS "requests" 716 MAX-ACCESS read-only 717 STATUS current 718 DESCRIPTION 719 "The number of incoming CoA packets from this 720 Dynamic Authorization Client silently discarded 721 by the server application for some reason other than 722 malformed, bad authenticators or unknown types. This 723 counter wraps from the maximum value to zero and is 724 reset upon system (re)initialization." 725 REFERENCE 726 "RFC 3576, Section 2.2, Change-of-Authorization 727 Messages (CoA), and Section 2.3, Packet Format." 728 ::= { radiusDynAuthClientEntry 25 } 730 radiusDynAuthServUnknownTypes OBJECT-TYPE 731 SYNTAX Counter32 732 UNITS "requests" 733 MAX-ACCESS read-only 734 STATUS current 735 DESCRIPTION 736 "The number of incoming packets of unknown types which 737 were received on the Dynamic Authorization port. This 738 counter wraps from the maximum value to zero and is 739 reset upon system (re)initialization." 740 REFERENCE 741 "RFC 3576, Section 2.3, Packet Format." 742 ::= { radiusDynAuthClientEntry 26 } 744 -- conformance information 746 radiusDynAuthServerMIBConformance 747 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 748 radiusDynAuthServerMIBCompliances 749 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 750 radiusDynAuthServerMIBGroups 751 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 753 -- compliance statements 755 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 756 STATUS current 757 DESCRIPTION 758 "The compliance statement for entities implementing 759 the RADIUS Dynamic Authorization Server." 760 MODULE -- this module 761 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 763 GROUP radiusDynAuthServerAuthOnlyGroup 764 DESCRIPTION 765 "Only required for Dynamic Authorization Clients that 766 are supporting Service-Type attributes with value 767 'Authorize-Only'." 769 GROUP radiusDynAuthServerNoSessGroup 770 DESCRIPTION 771 "This group is not required in case the Dynamic 772 Authorization Server can not easily determine whether 773 a session exists or not (e.g., in case of a RADIUS 774 proxy)." 776 ::= { radiusDynAuthServerMIBCompliances 1 } 778 -- units of conformance 780 radiusDynAuthServerMIBGroup OBJECT-GROUP 781 OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, 782 radiusDynAuthServerCoAInvalidClientAddresses, 783 radiusDynAuthServerIdentifier, 784 radiusDynAuthClientAddressType, 785 radiusDynAuthClientAddress, 786 radiusDynAuthServDisconRequests, 787 radiusDynAuthServDupDisconRequests, 788 radiusDynAuthServDisconAcks, 789 radiusDynAuthServDisconNaks, 790 radiusDynAuthServDisconUserSessRemoved, 791 radiusDynAuthServMalformedDisconRequests, 792 radiusDynAuthServDisconBadAuthenticators, 793 radiusDynAuthServDisconPacketsDropped, 794 radiusDynAuthServCoARequests, 795 radiusDynAuthServDupCoARequests, 796 radiusDynAuthServCoAAcks, 797 radiusDynAuthServCoANaks, 798 radiusDynAuthServCoAUserSessChanged, 799 radiusDynAuthServMalformedCoARequests, 800 radiusDynAuthServCoABadAuthenticators, 801 radiusDynAuthServCoAPacketsDropped, 802 radiusDynAuthServUnknownTypes 803 } 804 STATUS current 805 DESCRIPTION 806 "The collection of objects providing management of 807 a RADIUS Dynamic Authorization Server." 808 ::= { radiusDynAuthServerMIBGroups 1 } 810 radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP 811 OBJECTS { radiusDynAuthServDisconAuthOnlyRequests, 812 radiusDynAuthServDisconNakAuthOnlyRequests, 813 radiusDynAuthServCoAAuthOnlyRequests, 814 radiusDynAuthServCoANakAuthOnlyRequests 815 } 816 STATUS current 817 DESCRIPTION 818 "The collection of objects supporting the RADIUS 819 messages including Service-Type attribute with 820 value 'Authorize Only'." 821 ::= { radiusDynAuthServerMIBGroups 2 } 823 radiusDynAuthServerNoSessGroup OBJECT-GROUP 824 OBJECTS { radiusDynAuthServDisconNakSessNoContext, 825 radiusDynAuthServCoANakSessNoContext 826 } 827 STATUS current 828 DESCRIPTION 829 "The collection of objects supporting the RADIUS 830 messages that are referring to non existing sessions." 831 ::= { radiusDynAuthServerMIBGroups 3 } 833 END 835 5. Security Considerations 837 There are no management objects defined in this MIB module that have 838 a MAX-ACCESS clause of read-write and/or read-create. So, if this 839 MIB module is implemented correctly, then there is no risk that an 840 intruder can alter or create any management objects of this MIB 841 module via direct SNMP SET operations 843 Some of the readable objects in this MIB module (i.e., objects with a 844 MAX-ACCESS other than not-accessible) may be considered sensitive or 845 vulnerable in some network environments. It is thus important to 846 control even GET and/or NOTIFY access to these objects and possibly 847 to even encrypt the values of these objects when sending them over 848 the network via SNMP. These are the tables and objects and their 849 sensitivity/vulnerability: 851 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 853 These can be used to determine the address of the DAC with which the 854 DAS is communicating. This information could be useful in mounting 855 an attack on the DAC. 857 radiusDynAuthServerIdentifier 859 This can be used to determine the Identifier of the DAS. This 860 information could be useful in impersonating the DAS. 862 SNMP versions prior to SNMPv3 did not include adequate security. 863 Even if the network itself is secure (for example by using IPsec), 864 even then, there is no control as to who on the secure network is 865 allowed to access and GET/SET (read/change/create/delete) the objects 866 in this MIB module. 868 It is RECOMMENDED that implementers consider the security features as 869 provided by the SNMPv3 framework (see [RFC3410], section 8), 870 including full support for the SNMPv3 cryptographic mechanisms (for 871 authentication and privacy). 873 Further, deployment of SNMP versions prior to SNMPv3 is NOT 874 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 875 enable cryptographic security. It is then a customer/operator 876 responsibility to ensure that the SNMP entity giving access to an 877 instance of this MIB module is properly configured to give access to 878 the objects only to those principals (users) that have legitimate 879 rights to indeed GET or SET (change/create/delete) them. 881 6. IANA considerations 883 IANA is requested to assign an OID xxx under mib-2. 885 7. Acknowledgements 887 The authors would also like to acknowledge the following people for 888 their comments on this document: Bernard Aboba, Alan DeKok, David 889 Nelson, Anjaneyulu Pata, Dan Romascanu, Greg Weber, Bert Wijnen, and 890 Glen Zorn. 892 8. References 894 8.1. Normative References 896 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 897 Requirement Levels", RFC 2119, March 1997. 899 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 900 Rose, M., and S. Waldbusser, "Structure of Management 901 Information Version 2 (SMIv2)", STD 58, RFC 2578, 902 April 1999. 904 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 905 Rose, M., and S. Waldbusser, "Textual Conventions for 906 SMIv2", STD 58, RFC 2579, April 1999. 908 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 909 Rose, M., and S. Waldbusser, "Conformance Statements for 910 SMIv2", STD 58, RFC 2580, April 1999. 912 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 913 Architecture for Describing Simple Network Management 914 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 915 December 2002. 917 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 918 Aboba, "Dynamic Authorization Extensions to Remote 919 Authentication Dial In User Service (RADIUS)", RFC 3576, 920 July 2003. 922 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 923 Network Addresses", RFC 4001, February 2005. 925 8.2. Informative References 927 [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 928 Authorization Client MIB", 929 draft-ietf-radext-dynauth-client-mib-03.txt, work in 930 progress, December 2005. 932 [RFC2618bis] 933 Nelson, D., "RADIUS Auth Client MIB (IPv6)", 934 draft-ietf-radext-rfc2618bis-01.txt work in progress, 935 October 2005. 937 [RFC2619bis] 938 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 939 draft-ietf-radext-rfc2619bis-01.txt work in progress, 940 October 2005. 942 [RFC2620bis] 943 Nelson, D., "RADIUS Acct Client MIB (IPv6)", 944 draft-ietf-radext-rfc2620bis-01.txt work in progress, 945 October 2005. 947 [RFC2621bis] 948 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 949 draft-ietf-radext-rfc2621bis-01.txt work in progress, 950 October 2005. 952 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 953 "Remote Authentication Dial In User Service (RADIUS)", 954 RFC 2865, June 2000. 956 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 957 "Introduction and Applicability Statements for Internet- 958 Standard Management Framework", RFC 3410, December 2002. 960 Authors' Addresses 962 Stefaan De Cnodder 963 Alcatel 964 Francis Wellesplein 1 965 B-2018 Antwerp 966 Belgium 968 Phone: +32 3 240 85 15 969 Email: stefaan.de_cnodder@alcatel.be 971 Nagi Reddy Jonnala 972 Cisco Systems, Inc. 973 Divyasree Chambers, B Wing, O'Shaugnessy Road 974 Bangalore-560027, India 976 Phone: +91 98456 99445 977 Email: njonnala@cisco.com 979 Murtaza Chiba 980 Cisco Systems, Inc. 981 170 West Tasman Dr. 982 San Jose CA, 95134 984 Phone: +1 408 525 7198 985 Email: mchiba@cisco.com 987 Intellectual Property Statement 989 The IETF takes no position regarding the validity or scope of any 990 Intellectual Property Rights or other rights that might be claimed to 991 pertain to the implementation or use of the technology described in 992 this document or the extent to which any license under such rights 993 might or might not be available; nor does it represent that it has 994 made any independent effort to identify any such rights. Information 995 on the procedures with respect to rights in RFC documents can be 996 found in BCP 78 and BCP 79. 998 Copies of IPR disclosures made to the IETF Secretariat and any 999 assurances of licenses to be made available, or the result of an 1000 attempt made to obtain a general license or permission for the use of 1001 such proprietary rights by implementers or users of this 1002 specification can be obtained from the IETF on-line IPR repository at 1003 http://www.ietf.org/ipr. 1005 The IETF invites any interested party to bring to its attention any 1006 copyrights, patents or patent applications, or other proprietary 1007 rights that may cover technology that may be required to implement 1008 this standard. Please address the information to the IETF at 1009 ietf-ipr@ietf.org. 1011 Disclaimer of Validity 1013 This document and the information contained herein are provided on an 1014 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1015 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1016 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1017 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1018 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1019 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1021 Copyright Statement 1023 Copyright (C) The Internet Society (2006). This document is subject 1024 to the rights, licenses and restrictions contained in BCP 78, and 1025 except as set forth therein, the authors retain all their rights. 1027 Acknowledgment 1029 Funding for the RFC Editor function is currently provided by the 1030 Internet Society.