idnits 2.17.1 draft-ietf-radext-dynauth-server-mib-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1074. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1051. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1058. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1064. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC2865]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 29, 2006) is 6602 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DYNSERV' is mentioned on line 81, but not defined ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) == Outdated reference: A later version (-06) exists of draft-ietf-radext-dynauth-client-mib-05 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2618bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2620bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-01 Summary: 5 errors (**), 0 flaws (~~), 9 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: September 30, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 March 29, 2006 9 Dynamic Authorization Server MIB 10 draft-ietf-radext-dynauth-server-mib-05.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on September 30, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2006). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the Remote Authentication Dial In User 46 Service (RADIUS) [RFC2865] Dynamic Authorization Server (DAS) 47 functions that support the dynamic authorization extensions as 48 defined in RFC 3576. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. The Internet-Standard Management Framework . . . . . . . . . . 4 56 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4. RADIUS Dynamic Authorization Server MIB Definitions . . . . . 7 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 22 59 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 23 60 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 25 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 65 Intellectual Property and Copyright Statements . . . . . . . . . . 28 67 1. Introduction 69 This memo defines a portion of the Management Information Base (MIB) 70 for use with network management protocols in the Internet community. 71 It is becoming increasingly important to support Dynamic 72 Authorization extensions on the network access server (NAS) devices 73 to handle the Disconnect and Change-of-Authorization (CoA) messages 74 as described in [RFC3576]. As a result, the effective management of 75 RADIUS Dynamic Authorization entities is of considerable importance. 76 This RADIUS Dynamic Authorization Server (DAS) MIB complements the 77 managed objects used for managing RADIUS authentication and 78 accounting clients as described in [RFC2618bis] and [RFC2620bis], 79 respectively. 81 -- RFC Ed.: references [DYNSERV], [RFC2618bis], [RFC2619bis], 82 -- [RFC2620bis], and [RFC2621bis] should be replaced by 83 -- references to the corresponding RFC. 85 1.1. Requirements notation 87 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in [RFC2119]. 91 1.2. Terminology 93 Dynamic Authorization Server (DAS) 95 The component that resides on the NAS which processes the Disconnect 96 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 97 the Dynamic Authorization Client. 99 Dynamic Authorization Client (DAC) 101 The component which sends Disconnect and CoA-Request packets to the 102 Dynamic Authorization Server. While often residing on the RADIUS 103 server, it is also possible for this component to be located on a 104 separate host, such as a Rating Engine. 106 Dynamic Authorization Server Port 108 The UDP port on which the Dynamic Authorization Server listens for 109 the Disconnect and CoA requests sent by the Dynamic Authorization 110 Client. 112 2. The Internet-Standard Management Framework 114 For a detailed overview of the documents that describe the current 115 Internet-Standard Management Framework, please refer to section 7 of 116 [RFC3410]. 118 Managed objects are accessed via a virtual information store, termed 119 the Management Information Base or MIB. MIB objects are generally 120 accessed through the Simple Network Management Protocol (SNMP). 121 Objects in the MIB are defined using the mechanisms defined in the 122 Structure of Management Information (SMI). This memo specifies a MIB 123 module that is compliant to the SMIv2, which is described in STD 58, 124 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 125 [RFC2580]. 127 3. Overview 129 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 130 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 131 Request, CoA-ACK and CoA-NAK packets. Typically NAS devices 132 implement the DAS function, and thus would be expected to implement 133 the RADIUS Dynamic Authorization Server MIB, while DACs implement the 134 client function, and thus would be expected to implement the RADIUS 135 Dynamic Authorization Client MIB. 137 However, it is possible for a RADIUS Dynamic Authorization entity to 138 perform both client and server functions. For example, a RADIUS 139 proxy may act as a DAS to one or more DACs, while simultaneously 140 acting as a DAC to one or more DASs. In such situations, it is 141 expected that RADIUS entities combining client and server 142 functionality will support both the client and server MIBs. 144 This memo describes the MIB for Dynamic Authorization Servers and 145 relates to the following documents as follows: 147 [RFC2618bis] describes the MIB for a RADIUS Auth Client MIB. 149 [RFC2619bis] describes the MIB for a RADIUS Auth Server MIB. 151 [RFC2620bis] describes the MIB for a RADIUS Acct Client MIB. 153 [RFC2621bis] describes the MIB for a RADIUS Acct Server MIB. 155 [DYNCLNT] describes the MIB for a RADIUS Dynamic Authorization 156 Client. 158 A NAS typically implements the MIBs for a RADIUS Authentication 159 Client, a RADIUS accounting client, and a RADIUS Dynamic 160 Authorization Server. However, any one MIB can be implemented 161 without implementing any of the other MIBs, i.e. the MIBs have no 162 dependencies on each other. A typical case would be for a device to 163 implement the MIBs RADIUS authentication server, RADIUS accounting 164 server and RADIUS Dynamic Authorization Client. A RADIUS proxy might 165 implement any, all or a subset of the MIBs listed above and the MIB 166 as defined in this document. 168 +---------------+ +---------------+ 169 User 1----| | Disconnect-Request | | 170 | Dynamic | CoA-Request | Dynamic | 171 User 2----| Authorization |<---------------------| Authorization | 172 | Server |--------------------->| Client | 173 User 3----| (DAS) | Disconnect-Ack | (DAC) | 174 | | Disconnect-NAK | | 175 +---------------+ CoA-Ack/CoA-NAK +---------------+ 177 Figure 1: Mapping of clients and servers. 179 This MIB module for the Dynamic Authorization Server contains the 180 following: 182 1. Four scalar objects, and 184 2. One Dynamic Authorization Client Table. This table contains one 185 row for each DAC with which the DAS shares a secret. 187 4. RADIUS Dynamic Authorization Server MIB Definitions 189 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 191 IMPORTS 192 MODULE-IDENTITY, OBJECT-TYPE, 193 Counter32, Integer32, mib-2, 194 TimeTicks FROM SNMPv2-SMI -- [RFC2578] 195 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 196 InetAddressType, 197 InetAddress FROM INET-ADDRESS-MIB -- [RFC4001] 198 MODULE-COMPLIANCE, 199 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 201 radiusDynAuthServerMIB MODULE-IDENTITY 202 LAST-UPDATED "200603220000Z" -- 22 March 2006 203 ORGANIZATION "IETF RADEXT Working Group" 204 CONTACT-INFO 205 " Stefaan De Cnodder 206 Alcatel 207 Francis Wellesplein 1 208 B-2018 Antwerp 209 Belgium 211 Phone: +32 3 240 85 15 212 EMail: stefaan.de_cnodder@alcatel.be 214 Nagi Reddy Jonnala 215 Cisco Systems, Inc. 216 Divyasree Chambers, B Wing, 217 O'Shaugnessy Road, 218 Bangalore-560027, India. 220 Phone: +91 94487 60828 221 EMail: njonnala@cisco.com 223 Murtaza Chiba 224 Cisco Systems, Inc. 225 170 West Tasman Dr. 226 San Jose CA, 95134 228 Phone: +1 408 525 7198 229 EMail: mchiba@cisco.com " 230 DESCRIPTION 231 "The MIB module for entities implementing the server 232 side of the Dynamic Authorization Extensions to Remote 233 Authentication Dial In User Service (RADIUS) protocol. 235 Copyright (C) The Internet Society (2006). Initial 236 version as published in RFC yyyy; 237 for full legal notices see the RFC itself." 238 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 240 REVISION "200603220000Z" -- 22 March 2006 241 DESCRIPTION "Initial version as published in RFC yyyy." 242 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 243 ::= { mib-2 xxx } 244 -- The value xxx to be assigned by IANA. 246 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 247 { radiusDynAuthServerMIB 1 } 249 radiusDynAuthServerScalars OBJECT IDENTIFIER ::= 250 { radiusDynAuthServerMIBObjects 1 } 252 radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE 253 SYNTAX Counter32 254 MAX-ACCESS read-only 255 STATUS current 256 DESCRIPTION 257 "The number of Disconnect-Request packets received from 258 unknown addresses. This counter may experience a 259 discontinuity when the DAS module (re)starts as 260 indicated by the value of 261 radiusDynAuthServerCounterDiscontinuity." 262 ::= { radiusDynAuthServerScalars 1 } 264 radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE 265 SYNTAX Counter32 266 MAX-ACCESS read-only 267 STATUS current 268 DESCRIPTION 269 "The number of CoA-Request packets received from unknown 270 addresses. This counter may experience a discontinuity 271 when the DAS module (re)starts as indicated by the value 272 of radiusDynAuthServerCounterDiscontinuity." 273 ::= { radiusDynAuthServerScalars 2 } 275 radiusDynAuthServerIdentifier OBJECT-TYPE 276 SYNTAX SnmpAdminString 277 MAX-ACCESS read-only 278 STATUS current 279 DESCRIPTION 280 "The NAS-Identifier of the RADIUS Dynamic Authorization 281 Server. This is not necessarily the same as sysName in 282 MIB II." 284 REFERENCE 285 "RFC 2865, Section 5.32, NAS-Identifier." 286 ::= { radiusDynAuthServerScalars 3 } 288 radiusDynAuthServerCounterDiscontinuity OBJECT-TYPE 289 SYNTAX TimeTicks 290 UNITS "hundredths of a second" 291 MAX-ACCESS read-only 292 STATUS current 293 DESCRIPTION 294 "The time (in hundredths of a second) since the 295 DAS module was last re-initialized." 296 ::= { radiusDynAuthServerScalars 4 } 298 radiusDynAuthClientTable OBJECT-TYPE 299 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 300 MAX-ACCESS not-accessible 301 STATUS current 302 DESCRIPTION 303 "The (conceptual) table listing the RADIUS Dynamic 304 Authorization Clients with which the server shares a 305 secret." 306 ::= { radiusDynAuthServerMIBObjects 2 } 308 radiusDynAuthClientEntry OBJECT-TYPE 309 SYNTAX RadiusDynAuthClientEntry 310 MAX-ACCESS not-accessible 311 STATUS current 312 DESCRIPTION 313 "An entry (conceptual row) representing one Dynamic 314 Authorization Client with which the server shares a 315 secret." 316 INDEX { radiusDynAuthClientIndex } 317 ::= { radiusDynAuthClientTable 1 } 319 RadiusDynAuthClientEntry ::= SEQUENCE { 320 radiusDynAuthClientIndex Integer32, 321 radiusDynAuthClientAddressType InetAddressType, 322 radiusDynAuthClientAddress InetAddress, 323 radiusDynAuthServDisconRequests Counter32, 324 radiusDynAuthServDisconAuthOnlyRequests Counter32, 325 radiusDynAuthServDupDisconRequests Counter32, 326 radiusDynAuthServDisconAcks Counter32, 327 radiusDynAuthServDisconNaks Counter32, 328 radiusDynAuthServDisconNakAuthOnlyRequests Counter32, 329 radiusDynAuthServDisconNakSessNoContext Counter32, 330 radiusDynAuthServDisconUserSessRemoved Counter32, 331 radiusDynAuthServMalformedDisconRequests Counter32, 332 radiusDynAuthServDisconBadAuthenticators Counter32, 333 radiusDynAuthServDisconPacketsDropped Counter32, 334 radiusDynAuthServCoARequests Counter32, 335 radiusDynAuthServCoAAuthOnlyRequests Counter32, 336 radiusDynAuthServDupCoARequests Counter32, 337 radiusDynAuthServCoAAcks Counter32, 338 radiusDynAuthServCoANaks Counter32, 339 radiusDynAuthServCoANakAuthOnlyRequests Counter32, 340 radiusDynAuthServCoANakSessNoContext Counter32, 341 radiusDynAuthServCoAUserSessChanged Counter32, 342 radiusDynAuthServMalformedCoARequests Counter32, 343 radiusDynAuthServCoABadAuthenticators Counter32, 344 radiusDynAuthServCoAPacketsDropped Counter32, 345 radiusDynAuthServUnknownTypes Counter32 346 } 348 radiusDynAuthClientIndex OBJECT-TYPE 349 SYNTAX Integer32 (1..2147483647) 350 MAX-ACCESS not-accessible 351 STATUS current 352 DESCRIPTION 353 "A number uniquely identifying each RADIUS Dynamic 354 Authorization Client with which this Dynamic 355 Authorization Server communicates. This number is 356 allocated by the agent implementing this MIB module, 357 and is unique in this context." 358 ::= { radiusDynAuthClientEntry 1 } 360 radiusDynAuthClientAddressType OBJECT-TYPE 361 SYNTAX InetAddressType 362 MAX-ACCESS read-only 363 STATUS current 364 DESCRIPTION 365 "The type of IP address of the RADIUS Dynamic 366 Authorization Client referred to in this table entry." 367 ::= { radiusDynAuthClientEntry 2 } 369 radiusDynAuthClientAddress OBJECT-TYPE 370 SYNTAX InetAddress 371 MAX-ACCESS read-only 372 STATUS current 373 DESCRIPTION 374 "The IP address value of the RADIUS Dynamic 375 Authorization Client referred to in this table entry, 376 using the version neutral IP address format. The type 377 of this address is determined by the value of 378 the radiusDynAuthClientAddressType object." 380 ::= { radiusDynAuthClientEntry 3 } 382 radiusDynAuthServDisconRequests OBJECT-TYPE 383 SYNTAX Counter32 384 UNITS "requests" 385 MAX-ACCESS read-only 386 STATUS current 387 DESCRIPTION 388 "The number of RADIUS Disconnect-Requests received 389 from this Dynamic Authorization Client. This also 390 includes the RADIUS Disconnect-Requests that have a 391 Service-Type attribute with value 'Authorize Only'. 392 This counter may experience a discontinuity when the 393 DAS module (re)starts as indicated by the value of 394 radiusDynAuthServerCounterDiscontinuity." 395 REFERENCE 396 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 397 ::= { radiusDynAuthClientEntry 4 } 399 radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE 400 SYNTAX Counter32 401 UNITS "requests" 402 MAX-ACCESS read-only 403 STATUS current 404 DESCRIPTION 405 "The number of RADIUS Disconnect-Requests that include 406 a Service-Type attribute with value 'Authorize Only' 407 received from this Dynamic Authorization Client. This 408 counter may experience a discontinuity when the DAS 409 module (re)starts as indicated by the value of 410 radiusDynAuthServerCounterDiscontinuity." 411 REFERENCE 412 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 413 ::= { radiusDynAuthClientEntry 5 } 415 radiusDynAuthServDupDisconRequests OBJECT-TYPE 416 SYNTAX Counter32 417 UNITS "requests" 418 MAX-ACCESS read-only 419 STATUS current 420 DESCRIPTION 421 "The number of duplicate RADIUS Disconnect-Request 422 packets received from this Dynamic Authorization 423 Client. This counter may experience a discontinuity 424 when the DAS module (re)starts as indicated by the 425 value of radiusDynAuthServerCounterDiscontinuity." 426 REFERENCE 427 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 429 ::= { radiusDynAuthClientEntry 6 } 431 radiusDynAuthServDisconAcks OBJECT-TYPE 432 SYNTAX Counter32 433 UNITS "replies" 434 MAX-ACCESS read-only 435 STATUS current 436 DESCRIPTION 437 "The number of RADIUS Disconnect-ACK packets sent to 438 this Dynamic Authorization Client. This counter may 439 experience a discontinuity when the DAS module 440 (re)starts as indicated by the value of 441 radiusDynAuthServerCounterDiscontinuity." 442 REFERENCE 443 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 444 ::= { radiusDynAuthClientEntry 7 } 446 radiusDynAuthServDisconNaks OBJECT-TYPE 447 SYNTAX Counter32 448 UNITS "replies" 449 MAX-ACCESS read-only 450 STATUS current 451 DESCRIPTION 452 "The number of RADIUS Disconnect-NAK packets 453 sent to this Dynamic Authorization Client. This 454 includes the RADIUS Disconnect-NAK packets sent 455 with a Service-Type attribute with value 'Authorize 456 Only' and the RADIUS Disconnect-NAK packets sent 457 because no session context was found. This counter 458 may experience a discontinuity when the DAS module 459 (re)starts as indicated by the value of 460 radiusDynAuthServerCounterDiscontinuity." 461 REFERENCE 462 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 463 ::= { radiusDynAuthClientEntry 8 } 465 radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE 466 SYNTAX Counter32 467 UNITS "replies" 468 MAX-ACCESS read-only 469 STATUS current 470 DESCRIPTION 471 "The number of RADIUS Disconnect-NAK packets that 472 include a Service-Type attribute with value 473 'Authorize Only' sent to this Dynamic Authorization 474 Client. This counter may experience a discontinuity 475 when the DAS module (re)starts as indicated by the 476 value of radiusDynAuthServerCounterDiscontinuity." 478 REFERENCE 479 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 480 ::= { radiusDynAuthClientEntry 9 } 482 radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE 483 SYNTAX Counter32 484 UNITS "replies" 485 MAX-ACCESS read-only 486 STATUS current 487 DESCRIPTION 488 "The number of RADIUS Disconnect-NAK packets 489 sent to this Dynamic Authorization Client 490 because no session context was found. This counter may 491 experience a discontinuity when the DAS module 492 (re)starts as indicated by the value of 493 radiusDynAuthServerCounterDiscontinuity." 494 REFERENCE 495 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 496 ::= { radiusDynAuthClientEntry 10 } 498 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 499 SYNTAX Counter32 500 UNITS "sessions" 501 MAX-ACCESS read-only 502 STATUS current 503 DESCRIPTION 504 "The number of user sessions removed for the 505 Disconnect-Requests received from this 506 Dynamic Authorization Client. Depending on site 507 specific policies, a single Disconnect request 508 can remove multiple user sessions. In the case 509 that this Dynamic Authorization Server has no 510 knowledge of the number of user sessions that 511 are affected by a single request, for each such 512 Disconnect-Request, it will count as a single 513 affected user session only. This counter may experience 514 a discontinuity when the DAS module (re)starts as 515 indicated by the value of 516 radiusDynAuthServerCounterDiscontinuity." 517 REFERENCE 518 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 519 ::= { radiusDynAuthClientEntry 11 } 521 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 522 SYNTAX Counter32 523 UNITS "requests" 524 MAX-ACCESS read-only 525 STATUS current 526 DESCRIPTION 527 "The number of malformed RADIUS Disconnect-Request 528 packets received from this Dynamic Authorization 529 Client. Bad authenticators and unknown types are not 530 included as malformed Disconnect-Requests. This counter 531 may experience a discontinuity when the DAS module 532 (re)starts as indicated by the value of 533 radiusDynAuthServerCounterDiscontinuity." 534 REFERENCE 535 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 536 Section 2.3, Packet Format." 537 ::= { radiusDynAuthClientEntry 12 } 539 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 540 SYNTAX Counter32 541 UNITS "requests" 542 MAX-ACCESS read-only 543 STATUS current 544 DESCRIPTION 545 "The number of RADIUS Disconnect-Request packets 546 which contained invalid Authenticator field 547 received from this Dynamic Authorization Client. This 548 counter may experience a discontinuity when the DAS 549 module (re)starts as indicated by the value of 550 radiusDynAuthServerCounterDiscontinuity." 551 REFERENCE 552 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 553 Section 2.3, Packet Format." 554 ::= { radiusDynAuthClientEntry 13 } 556 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 557 SYNTAX Counter32 558 UNITS "requests" 559 MAX-ACCESS read-only 560 STATUS current 561 DESCRIPTION 562 "The number of incoming Disconnect-Requests 563 from this Dynamic Authorization Client silently 564 discarded by the server application for some reason 565 other than malformed, bad authenticators or unknown 566 types. This counter may experience a discontinuity 567 when the DAS module (re)starts as indicated by the 568 value of radiusDynAuthServerCounterDiscontinuity." 569 REFERENCE 570 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 571 Section 2.3, Packet Format." 572 ::= { radiusDynAuthClientEntry 14 } 574 radiusDynAuthServCoARequests OBJECT-TYPE 575 SYNTAX Counter32 576 UNITS "requests" 577 MAX-ACCESS read-only 578 STATUS current 579 DESCRIPTION 580 "The number of RADIUS CoA-requests received from this 581 Dynamic Authorization Client. This also includes 582 the CoA requests that have a Service-Type attribute 583 with value 'Authorize Only'. This counter may 584 experience a discontinuity when the DAS module 585 (re)starts as indicated by the value of 586 radiusDynAuthServerCounterDiscontinuity." 587 REFERENCE 588 "RFC 3576, Section 2.2, Change-of-Authorization 589 Messages (CoA)." 590 ::= { radiusDynAuthClientEntry 15 } 592 radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE 593 SYNTAX Counter32 594 UNITS "requests" 595 MAX-ACCESS read-only 596 STATUS current 597 DESCRIPTION 598 "The number of RADIUS CoA-requests that include a 599 Service-Type attribute with value 'Authorize Only' 600 received from this Dynamic Authorization Client. This 601 counter may experience a discontinuity when the DAS 602 module (re)starts as indicated by the value of 603 radiusDynAuthServerCounterDiscontinuity." 604 REFERENCE 605 "RFC 3576, Section 2.2, Change-of-Authorization 606 Messages (CoA)." 607 ::= { radiusDynAuthClientEntry 16 } 609 radiusDynAuthServDupCoARequests OBJECT-TYPE 610 SYNTAX Counter32 611 UNITS "requests" 612 MAX-ACCESS read-only 613 STATUS current 614 DESCRIPTION 615 "The number of duplicate RADIUS CoA-Request packets 616 received from this Dynamic Authorization Client. This 617 counter may experience a discontinuity when the DAS 618 module (re)starts as indicated by the value of 619 radiusDynAuthServerCounterDiscontinuity." 620 REFERENCE 621 "RFC 3576, Section 2.2, Change-of-Authorization 622 Messages (CoA)." 623 ::= { radiusDynAuthClientEntry 17 } 625 radiusDynAuthServCoAAcks OBJECT-TYPE 626 SYNTAX Counter32 627 UNITS "replies" 628 MAX-ACCESS read-only 629 STATUS current 630 DESCRIPTION 631 "The number of RADIUS CoA-ACK packets sent to this 632 Dynamic Authorization Client. This counter may 633 experience a discontinuity when the DAS module 634 (re)starts as indicated by the value of 635 radiusDynAuthServerCounterDiscontinuity." 636 REFERENCE 637 "RFC 3576, Section 2.2, Change-of-Authorization 638 Messages (CoA)." 639 ::= { radiusDynAuthClientEntry 18 } 641 radiusDynAuthServCoANaks OBJECT-TYPE 642 SYNTAX Counter32 643 UNITS "replies" 644 MAX-ACCESS read-only 645 STATUS current 646 DESCRIPTION 647 "The number of RADIUS CoA-NAK packets sent to 648 this Dynamic Authorization Client. This includes 649 the RADIUS CoA-NAK packets sent with a Service-Type 650 attribute with value 'Authorize Only' and the RADIUS 651 CoA-NAK packets sent because no session context was 652 found. This counter may experience a discontinuity 653 when the DAS module (re)starts as indicated by the 654 value of radiusDynAuthServerCounterDiscontinuity." 655 REFERENCE 656 "RFC 3576, Section 2.2, Change-of-Authorization 657 Messages (CoA)." 658 ::= { radiusDynAuthClientEntry 19 } 660 radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE 661 SYNTAX Counter32 662 UNITS "replies" 663 MAX-ACCESS read-only 664 STATUS current 665 DESCRIPTION 666 "The number of RADIUS CoA-NAK packets that include a 667 Service-Type attribute with value 'Authorize Only' 668 sent to this Dynamic Authorization Client. This counter 669 may experience a discontinuity when the DAS module 670 (re)starts as indicated by the value of 671 radiusDynAuthServerCounterDiscontinuity." 672 REFERENCE 673 "RFC 3576, Section 2.2, Change-of-Authorization 674 Messages (CoA)." 675 ::= { radiusDynAuthClientEntry 20 } 677 radiusDynAuthServCoANakSessNoContext OBJECT-TYPE 678 SYNTAX Counter32 679 UNITS "replies" 680 MAX-ACCESS read-only 681 STATUS current 682 DESCRIPTION 683 "The number of RADIUS CoA-NAK packets sent to this 684 Dynamic Authorization Client because no session context 685 was found. This counter may experience a discontinuity 686 when the DAS module (re)starts as indicated by the 687 value of radiusDynAuthServerCounterDiscontinuity." 688 REFERENCE 689 "RFC 3576, Section 2.2, Change-of-Authorization 690 Messages (CoA)." 691 ::= { radiusDynAuthClientEntry 21 } 693 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 694 SYNTAX Counter32 695 UNITS "sessions" 696 MAX-ACCESS read-only 697 STATUS current 698 DESCRIPTION 699 "The number of user sessions authorization 700 changed for the CoA-Requests received from this 701 Dynamic Authorization Client. Depending on site 702 specific policies, a single CoA request can change 703 multiple user sessions' authorization. In the case 704 this Dynamic Authorization Server has no knowledge of 705 the number of user sessions that are affected by a 706 single request, for each such CoA-Request, it will 707 count as a single affected user session only. This 708 counter may experience a discontinuity when the DAS 709 module (re)starts as indicated by the value of 710 radiusDynAuthServerCounterDiscontinuity." 711 REFERENCE 712 "RFC 3576, Section 2.2, Change-of-Authorization 713 Messages (CoA)." 714 ::= { radiusDynAuthClientEntry 22 } 716 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 717 SYNTAX Counter32 718 UNITS "requests" 719 MAX-ACCESS read-only 720 STATUS current 721 DESCRIPTION 722 "The number of malformed RADIUS CoA-Request packets 723 received from this Dynamic Authorization Client. Bad 724 authenticators and unknown types are not included as 725 malformed CoA-Requests. This counter may experience a 726 discontinuity when the DAS module (re)starts as 727 indicated by the value of 728 radiusDynAuthServerCounterDiscontinuity." 729 REFERENCE 730 "RFC 3576, Section 2.2, Change-of-Authorization 731 Messages (CoA), and Section 2.3, Packet Format." 732 ::= { radiusDynAuthClientEntry 23 } 734 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 735 SYNTAX Counter32 736 UNITS "requests" 737 MAX-ACCESS read-only 738 STATUS current 739 DESCRIPTION 740 "The number of RADIUS CoA-Request packets which 741 contained invalid Authenticator field received 742 from this Dynamic Authorization Client. This counter 743 may experience a discontinuity when the DAS module 744 (re)starts as indicated by the value of 745 radiusDynAuthServerCounterDiscontinuity." 746 REFERENCE 747 "RFC 3576, Section 2.2, Change-of-Authorization 748 Messages (CoA), and Section 2.3, Packet Format." 749 ::= { radiusDynAuthClientEntry 24 } 751 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 752 SYNTAX Counter32 753 UNITS "requests" 754 MAX-ACCESS read-only 755 STATUS current 756 DESCRIPTION 757 "The number of incoming CoA packets from this 758 Dynamic Authorization Client silently discarded 759 by the server application for some reason other than 760 malformed, bad authenticators or unknown types. This 761 counter may experience a discontinuity when the DAS 762 module (re)starts as indicated by the value of 763 radiusDynAuthServerCounterDiscontinuity." 764 REFERENCE 765 "RFC 3576, Section 2.2, Change-of-Authorization 766 Messages (CoA), and Section 2.3, Packet Format." 767 ::= { radiusDynAuthClientEntry 25 } 769 radiusDynAuthServUnknownTypes OBJECT-TYPE 770 SYNTAX Counter32 771 UNITS "requests" 772 MAX-ACCESS read-only 773 STATUS current 774 DESCRIPTION 775 "The number of incoming packets of unknown types which 776 were received on the Dynamic Authorization port. This 777 counter may experience a discontinuity when the DAS 778 module (re)starts as indicated by the value of 779 radiusDynAuthServerCounterDiscontinuity." 780 REFERENCE 781 "RFC 3576, Section 2.3, Packet Format." 782 ::= { radiusDynAuthClientEntry 26 } 784 -- conformance information 786 radiusDynAuthServerMIBConformance 787 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 788 radiusDynAuthServerMIBCompliances 789 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 790 radiusDynAuthServerMIBGroups 791 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 793 -- compliance statements 795 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 796 STATUS current 797 DESCRIPTION 798 "The compliance statement for entities implementing 799 the RADIUS Dynamic Authorization Server. Implementation 800 of this module is for entities that support IPv4 and/or 801 IPv6." 802 MODULE -- this module 803 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 805 OBJECT radiusDynAuthClientAddressType 806 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 807 DESCRIPTION 808 "An implementation is only required to support IPv4 and 809 globally unique IPv6 addresses." 811 OBJECT radiusDynAuthClientAddress 812 SYNTAX InetAddress (SIZE(4|16)) 813 DESCRIPTION 814 "An implementation is only required to support IPv4 and 815 globally unique IPv6 addresses." 817 GROUP radiusDynAuthServerAuthOnlyGroup 818 DESCRIPTION 819 "Only required for Dynamic Authorization Clients that 820 are supporting Service-Type attributes with value 821 'Authorize-Only'." 823 GROUP radiusDynAuthServerNoSessGroup 824 DESCRIPTION 825 "This group is not required in case the Dynamic 826 Authorization Server can not easily determine whether 827 a session exists or not (e.g., in case of a RADIUS 828 proxy)." 830 ::= { radiusDynAuthServerMIBCompliances 1 } 832 -- units of conformance 834 radiusDynAuthServerMIBGroup OBJECT-GROUP 835 OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, 836 radiusDynAuthServerCoAInvalidClientAddresses, 837 radiusDynAuthServerIdentifier, 838 radiusDynAuthServerCounterDiscontinuity, 839 radiusDynAuthClientAddressType, 840 radiusDynAuthClientAddress, 841 radiusDynAuthServDisconRequests, 842 radiusDynAuthServDupDisconRequests, 843 radiusDynAuthServDisconAcks, 844 radiusDynAuthServDisconNaks, 845 radiusDynAuthServDisconUserSessRemoved, 846 radiusDynAuthServMalformedDisconRequests, 847 radiusDynAuthServDisconBadAuthenticators, 848 radiusDynAuthServDisconPacketsDropped, 849 radiusDynAuthServCoARequests, 850 radiusDynAuthServDupCoARequests, 851 radiusDynAuthServCoAAcks, 852 radiusDynAuthServCoANaks, 853 radiusDynAuthServCoAUserSessChanged, 854 radiusDynAuthServMalformedCoARequests, 855 radiusDynAuthServCoABadAuthenticators, 856 radiusDynAuthServCoAPacketsDropped, 857 radiusDynAuthServUnknownTypes 858 } 859 STATUS current 860 DESCRIPTION 861 "The collection of objects providing management of 862 a RADIUS Dynamic Authorization Server." 863 ::= { radiusDynAuthServerMIBGroups 1 } 865 radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP 866 OBJECTS { radiusDynAuthServDisconAuthOnlyRequests, 867 radiusDynAuthServDisconNakAuthOnlyRequests, 868 radiusDynAuthServCoAAuthOnlyRequests, 869 radiusDynAuthServCoANakAuthOnlyRequests 870 } 871 STATUS current 872 DESCRIPTION 873 "The collection of objects supporting the RADIUS 874 messages including Service-Type attribute with 875 value 'Authorize Only'." 876 ::= { radiusDynAuthServerMIBGroups 2 } 878 radiusDynAuthServerNoSessGroup OBJECT-GROUP 879 OBJECTS { radiusDynAuthServDisconNakSessNoContext, 880 radiusDynAuthServCoANakSessNoContext 881 } 882 STATUS current 883 DESCRIPTION 884 "The collection of objects supporting the RADIUS 885 messages that are referring to non existing sessions." 886 ::= { radiusDynAuthServerMIBGroups 3 } 888 END 890 5. Security Considerations 892 There are no management objects defined in this MIB module that have 893 a MAX-ACCESS clause of read-write and/or read-create. So, if this 894 MIB module is implemented correctly, then there is no risk that an 895 intruder can alter or create any management objects of this MIB 896 module via direct SNMP SET operations 898 Some of the readable objects in this MIB module (i.e., objects with a 899 MAX-ACCESS other than not-accessible) may be considered sensitive or 900 vulnerable in some network environments. It is thus important to 901 control even GET and/or NOTIFY access to these objects and possibly 902 to even encrypt the values of these objects when sending them over 903 the network via SNMP. These are the tables and objects and their 904 sensitivity/vulnerability: 906 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 908 These can be used to determine the address of the DAC with which the 909 DAS is communicating. This information could be useful in mounting 910 an attack on the DAC. 912 radiusDynAuthServerIdentifier 914 This can be used to determine the Identifier of the DAS. This 915 information could be useful in impersonating the DAS. 917 SNMP versions prior to SNMPv3 did not include adequate security. 918 Even if the network itself is secure (for example by using IPsec), 919 even then, there is no control as to who on the secure network is 920 allowed to access and GET/SET (read/change/create/delete) the objects 921 in this MIB module. 923 It is RECOMMENDED that implementers consider the security features as 924 provided by the SNMPv3 framework (see [RFC3410], section 8), 925 including full support for the SNMPv3 cryptographic mechanisms (for 926 authentication and privacy). 928 Further, deployment of SNMP versions prior to SNMPv3 is NOT 929 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 930 enable cryptographic security. It is then a customer/operator 931 responsibility to ensure that the SNMP entity giving access to an 932 instance of this MIB module is properly configured to give access to 933 the objects only to those principals (users) that have legitimate 934 rights to indeed GET or SET (change/create/delete) them. 936 6. IANA considerations 938 IANA is requested to assign an OID xxx under mib-2. 940 7. Acknowledgements 942 The authors would also like to acknowledge the following people for 943 their comments on this document: Bernard Aboba, Alan DeKok, David 944 Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg 945 Weber, Bert Wijnen and Glen Zorn. 947 8. References 949 8.1. Normative References 951 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 952 Requirement Levels", RFC 2119, March 1997. 954 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 955 Rose, M., and S. Waldbusser, "Structure of Management 956 Information Version 2 (SMIv2)", STD 58, RFC 2578, 957 April 1999. 959 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 960 Rose, M., and S. Waldbusser, "Textual Conventions for 961 SMIv2", STD 58, RFC 2579, April 1999. 963 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 964 Rose, M., and S. Waldbusser, "Conformance Statements for 965 SMIv2", STD 58, RFC 2580, April 1999. 967 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 968 Architecture for Describing Simple Network Management 969 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 970 December 2002. 972 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 973 Aboba, "Dynamic Authorization Extensions to Remote 974 Authentication Dial In User Service (RADIUS)", RFC 3576, 975 July 2003. 977 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 978 Network Addresses", RFC 4001, February 2005. 980 8.2. Informative References 982 [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 983 Authorization Client MIB", 984 draft-ietf-radext-dynauth-client-mib-05.txt, work in 985 progress, December 2005. 987 [RFC2618bis] 988 Nelson, D., "RADIUS Auth Client MIB (IPv6)", 989 draft-ietf-radext-rfc2618bis-01.txt work in progress, 990 October 2005. 992 [RFC2619bis] 993 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 994 draft-ietf-radext-rfc2619bis-01.txt work in progress, 995 October 2005. 997 [RFC2620bis] 998 Nelson, D., "RADIUS Acct Client MIB (IPv6)", 999 draft-ietf-radext-rfc2620bis-01.txt work in progress, 1000 October 2005. 1002 [RFC2621bis] 1003 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 1004 draft-ietf-radext-rfc2621bis-01.txt work in progress, 1005 October 2005. 1007 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1008 "Remote Authentication Dial In User Service (RADIUS)", 1009 RFC 2865, June 2000. 1011 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1012 "Introduction and Applicability Statements for Internet- 1013 Standard Management Framework", RFC 3410, December 2002. 1015 Authors' Addresses 1017 Stefaan De Cnodder 1018 Alcatel 1019 Francis Wellesplein 1 1020 B-2018 Antwerp 1021 Belgium 1023 Phone: +32 3 240 85 15 1024 Email: stefaan.de_cnodder@alcatel.be 1026 Nagi Reddy Jonnala 1027 Cisco Systems, Inc. 1028 Divyasree Chambers, B Wing, O'Shaugnessy Road 1029 Bangalore-560027, India 1031 Phone: +91 94487 60828 1032 Email: njonnala@cisco.com 1034 Murtaza Chiba 1035 Cisco Systems, Inc. 1036 170 West Tasman Dr. 1037 San Jose CA, 95134 1039 Phone: +1 408 525 7198 1040 Email: mchiba@cisco.com 1042 Intellectual Property Statement 1044 The IETF takes no position regarding the validity or scope of any 1045 Intellectual Property Rights or other rights that might be claimed to 1046 pertain to the implementation or use of the technology described in 1047 this document or the extent to which any license under such rights 1048 might or might not be available; nor does it represent that it has 1049 made any independent effort to identify any such rights. Information 1050 on the procedures with respect to rights in RFC documents can be 1051 found in BCP 78 and BCP 79. 1053 Copies of IPR disclosures made to the IETF Secretariat and any 1054 assurances of licenses to be made available, or the result of an 1055 attempt made to obtain a general license or permission for the use of 1056 such proprietary rights by implementers or users of this 1057 specification can be obtained from the IETF on-line IPR repository at 1058 http://www.ietf.org/ipr. 1060 The IETF invites any interested party to bring to its attention any 1061 copyrights, patents or patent applications, or other proprietary 1062 rights that may cover technology that may be required to implement 1063 this standard. Please address the information to the IETF at 1064 ietf-ipr@ietf.org. 1066 Disclaimer of Validity 1068 This document and the information contained herein are provided on an 1069 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1070 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1071 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1072 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1073 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1074 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1076 Copyright Statement 1078 Copyright (C) The Internet Society (2006). This document is subject 1079 to the rights, licenses and restrictions contained in BCP 78, and 1080 except as set forth therein, the authors retain all their rights. 1082 Acknowledgment 1084 Funding for the RFC Editor function is currently provided by the 1085 Internet Society.