idnits 2.17.1 draft-ietf-radext-dynauth-server-mib-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1074. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1051. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1058. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1064. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC2865]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 15, 2006) is 6497 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3576 (Obsoleted by RFC 5176) == Outdated reference: A later version (-06) exists of draft-ietf-radext-dynauth-client-mib-05 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2618bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2619bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2620bis-01 == Outdated reference: A later version (-04) exists of draft-ietf-radext-rfc2621bis-01 Summary: 5 errors (**), 0 flaws (~~), 8 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. De Cnodder 3 Internet-Draft Alcatel 4 Expires: December 17, 2006 N. Jonnala 5 M. Chiba 6 Cisco Systems, Inc. 7 June 15, 2006 9 Dynamic Authorization Server MIB 10 draft-ietf-radext-dynauth-server-mib-06.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on December 17, 2006. 37 Copyright Notice 39 Copyright (C) The Internet Society (2006). 41 Abstract 43 This memo defines a portion of the Management Information Base (MIB) 44 for use with network management protocols in the Internet community. 45 In particular, it describes the Remote Authentication Dial In User 46 Service (RADIUS) [RFC2865] Dynamic Authorization Server (DAS) 47 functions that support the dynamic authorization extensions as 48 defined in RFC 3576. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 54 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. The Internet-Standard Management Framework . . . . . . . . . . 4 56 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4. RADIUS Dynamic Authorization Server MIB Definitions . . . . . 7 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 22 59 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 23 60 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 25 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 65 Intellectual Property and Copyright Statements . . . . . . . . . . 28 67 1. Introduction 69 This memo defines a portion of the Management Information Base (MIB) 70 for use with network management protocols in the Internet community. 71 It is becoming increasingly important to support Dynamic 72 Authorization extensions on the network access server (NAS) devices 73 to handle the Disconnect and Change-of-Authorization (CoA) messages 74 as described in [RFC3576]. As a result, the effective management of 75 RADIUS Dynamic Authorization entities is of considerable importance. 76 This RADIUS Dynamic Authorization Server (DAS) MIB complements the 77 managed objects used for managing RADIUS authentication and 78 accounting clients as described in [RFC2618bis] and [RFC2620bis], 79 respectively. 81 -- RFC Ed.: references [DYNCLNT], [RFC2618bis], [RFC2619bis], 82 -- [RFC2620bis], and [RFC2621bis] should be replaced by 83 -- references to the corresponding RFC. 85 1.1. Requirements notation 87 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in [RFC2119]. 91 1.2. Terminology 93 Dynamic Authorization Server (DAS) 95 The component that resides on the NAS which processes the Disconnect 96 and Change-of-Authorization (CoA) Request packets [RFC3576] sent by 97 the Dynamic Authorization Client. 99 Dynamic Authorization Client (DAC) 101 The component which sends Disconnect and CoA-Request packets to the 102 Dynamic Authorization Server. While often residing on the RADIUS 103 server, it is also possible for this component to be located on a 104 separate host, such as a Rating Engine. 106 Dynamic Authorization Server Port 108 The UDP port on which the Dynamic Authorization Server listens for 109 the Disconnect and CoA requests sent by the Dynamic Authorization 110 Client. 112 2. The Internet-Standard Management Framework 114 For a detailed overview of the documents that describe the current 115 Internet-Standard Management Framework, please refer to section 7 of 116 [RFC3410]. 118 Managed objects are accessed via a virtual information store, termed 119 the Management Information Base or MIB. MIB objects are generally 120 accessed through the Simple Network Management Protocol (SNMP). 121 Objects in the MIB are defined using the mechanisms defined in the 122 Structure of Management Information (SMI). This memo specifies a MIB 123 module that is compliant to the SMIv2, which is described in STD 58, 124 RFC2578 [RFC2578], STD 58, RFC2579 [RFC2579] and STD 58, RFC2580 125 [RFC2580]. 127 3. Overview 129 "Dynamic Authorization Extensions to RADIUS" [RFC3576] defines the 130 operation of Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- 131 Request, CoA-ACK and CoA-NAK packets. Typically NAS devices 132 implement the DAS function, and thus would be expected to implement 133 the RADIUS Dynamic Authorization Server MIB, while DACs implement the 134 client function, and thus would be expected to implement the RADIUS 135 Dynamic Authorization Client MIB. 137 However, it is possible for a RADIUS Dynamic Authorization entity to 138 perform both client and server functions. For example, a RADIUS 139 proxy may act as a DAS to one or more DACs, while simultaneously 140 acting as a DAC to one or more DASs. In such situations, it is 141 expected that RADIUS entities combining client and server 142 functionality will support both the client and server MIBs. 144 This memo describes the MIB for Dynamic Authorization Servers and 145 relates to the following documents as follows: 147 [RFC2618bis] describes the MIB for a RADIUS Auth Client MIB. 149 [RFC2619bis] describes the MIB for a RADIUS Auth Server MIB. 151 [RFC2620bis] describes the MIB for a RADIUS Acct Client MIB. 153 [RFC2621bis] describes the MIB for a RADIUS Acct Server MIB. 155 [DYNCLNT] describes the MIB for a RADIUS Dynamic Authorization 156 Client. 158 A NAS typically implements the MIBs for a RADIUS Authentication 159 Client, a RADIUS accounting client, and a RADIUS Dynamic 160 Authorization Server. However, any one MIB can be implemented 161 without implementing any of the other MIBs, i.e. the MIBs have no 162 dependencies on each other. A typical case would be for a device to 163 implement the MIBs RADIUS authentication server, RADIUS accounting 164 server and RADIUS Dynamic Authorization Client. A RADIUS proxy might 165 implement any, all or a subset of the MIBs listed above and the MIB 166 as defined in this document. 168 +---------------+ +---------------+ 169 User 1----| | Disconnect-Request | | 170 | Dynamic | CoA-Request | Dynamic | 171 User 2----| Authorization |<---------------------| Authorization | 172 | Server |--------------------->| Client | 173 User 3----| (DAS) | Disconnect-Ack | (DAC) | 174 | | Disconnect-NAK | | 175 +---------------+ CoA-Ack/CoA-NAK +---------------+ 177 Figure 1: Mapping of clients and servers. 179 This MIB module for the Dynamic Authorization Server contains the 180 following: 182 1. Three scalar objects, and 184 2. One Dynamic Authorization Client Table. This table contains one 185 row for each DAC with which the DAS shares a secret. 187 4. RADIUS Dynamic Authorization Server MIB Definitions 189 RADIUS-DYNAUTH-SERVER-MIB DEFINITIONS ::= BEGIN 191 IMPORTS 192 MODULE-IDENTITY, OBJECT-TYPE, 193 Counter32, Integer32, mib-2, 194 TimeTicks FROM SNMPv2-SMI -- [RFC2578] 195 SnmpAdminString FROM SNMP-FRAMEWORK-MIB -- [RFC3411] 196 InetAddressType, 197 InetAddress FROM INET-ADDRESS-MIB -- [RFC4001] 198 MODULE-COMPLIANCE, 199 OBJECT-GROUP FROM SNMPv2-CONF; -- [RFC2580] 201 radiusDynAuthServerMIB MODULE-IDENTITY 202 LAST-UPDATED "200606060000Z" -- 6 June 2006 203 ORGANIZATION "IETF RADEXT Working Group" 204 CONTACT-INFO 205 " Stefaan De Cnodder 206 Alcatel 207 Francis Wellesplein 1 208 B-2018 Antwerp 209 Belgium 211 Phone: +32 3 240 85 15 212 EMail: stefaan.de_cnodder@alcatel.be 214 Nagi Reddy Jonnala 215 Cisco Systems, Inc. 216 Divyasree Chambers, B Wing, 217 O'Shaugnessy Road, 218 Bangalore-560027, India. 220 Phone: +91 94487 60828 221 EMail: njonnala@cisco.com 223 Murtaza Chiba 224 Cisco Systems, Inc. 225 170 West Tasman Dr. 226 San Jose CA, 95134 228 Phone: +1 408 525 7198 229 EMail: mchiba@cisco.com " 230 DESCRIPTION 231 "The MIB module for entities implementing the server 232 side of the Dynamic Authorization Extensions to Remote 233 Authentication Dial In User Service (RADIUS) protocol. 235 Copyright (C) The Internet Society (2006). Initial 236 version as published in RFC yyyy; 237 for full legal notices see the RFC itself." 238 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 240 REVISION "200606060000Z" -- 6 June 2006 241 DESCRIPTION "Initial version as published in RFC yyyy." 242 -- RFC Ed.: replace yyyy with actual RFC number & remove this note 243 ::= { mib-2 xxx } 244 -- The value xxx to be assigned by IANA. 246 radiusDynAuthServerMIBObjects OBJECT IDENTIFIER ::= 247 { radiusDynAuthServerMIB 1 } 249 radiusDynAuthServerScalars OBJECT IDENTIFIER ::= 250 { radiusDynAuthServerMIBObjects 1 } 252 radiusDynAuthServerDisconInvalidClientAddresses OBJECT-TYPE 253 SYNTAX Counter32 254 MAX-ACCESS read-only 255 STATUS current 256 DESCRIPTION 257 "The number of Disconnect-Request packets received from 258 unknown addresses. This counter may experience a 259 discontinuity when the DAS module (re)starts as 260 indicated by the value of 261 radiusDynAuthServerCounterDiscontinuity." 262 ::= { radiusDynAuthServerScalars 1 } 264 radiusDynAuthServerCoAInvalidClientAddresses OBJECT-TYPE 265 SYNTAX Counter32 266 MAX-ACCESS read-only 267 STATUS current 268 DESCRIPTION 269 "The number of CoA-Request packets received from unknown 270 addresses. This counter may experience a discontinuity 271 when the DAS module (re)starts as indicated by the value 272 of radiusDynAuthServerCounterDiscontinuity." 273 ::= { radiusDynAuthServerScalars 2 } 275 radiusDynAuthServerIdentifier OBJECT-TYPE 276 SYNTAX SnmpAdminString 277 MAX-ACCESS read-only 278 STATUS current 279 DESCRIPTION 280 "The NAS-Identifier of the RADIUS Dynamic Authorization 281 Server. This is not necessarily the same as sysName in 282 MIB II." 284 REFERENCE 285 "RFC 2865, Section 5.32, NAS-Identifier." 286 ::= { radiusDynAuthServerScalars 3 } 288 radiusDynAuthClientTable OBJECT-TYPE 289 SYNTAX SEQUENCE OF RadiusDynAuthClientEntry 290 MAX-ACCESS not-accessible 291 STATUS current 292 DESCRIPTION 293 "The (conceptual) table listing the RADIUS Dynamic 294 Authorization Clients with which the server shares a 295 secret." 296 ::= { radiusDynAuthServerMIBObjects 2 } 298 radiusDynAuthClientEntry OBJECT-TYPE 299 SYNTAX RadiusDynAuthClientEntry 300 MAX-ACCESS not-accessible 301 STATUS current 302 DESCRIPTION 303 "An entry (conceptual row) representing one Dynamic 304 Authorization Client with which the server shares a 305 secret." 306 INDEX { radiusDynAuthClientIndex } 307 ::= { radiusDynAuthClientTable 1 } 309 RadiusDynAuthClientEntry ::= SEQUENCE { 310 radiusDynAuthClientIndex Integer32, 311 radiusDynAuthClientAddressType InetAddressType, 312 radiusDynAuthClientAddress InetAddress, 313 radiusDynAuthServDisconRequests Counter32, 314 radiusDynAuthServDisconAuthOnlyRequests Counter32, 315 radiusDynAuthServDupDisconRequests Counter32, 316 radiusDynAuthServDisconAcks Counter32, 317 radiusDynAuthServDisconNaks Counter32, 318 radiusDynAuthServDisconNakAuthOnlyRequests Counter32, 319 radiusDynAuthServDisconNakSessNoContext Counter32, 320 radiusDynAuthServDisconUserSessRemoved Counter32, 321 radiusDynAuthServMalformedDisconRequests Counter32, 322 radiusDynAuthServDisconBadAuthenticators Counter32, 323 radiusDynAuthServDisconPacketsDropped Counter32, 324 radiusDynAuthServCoARequests Counter32, 325 radiusDynAuthServCoAAuthOnlyRequests Counter32, 326 radiusDynAuthServDupCoARequests Counter32, 327 radiusDynAuthServCoAAcks Counter32, 328 radiusDynAuthServCoANaks Counter32, 329 radiusDynAuthServCoANakAuthOnlyRequests Counter32, 330 radiusDynAuthServCoANakSessNoContext Counter32, 331 radiusDynAuthServCoAUserSessChanged Counter32, 332 radiusDynAuthServMalformedCoARequests Counter32, 333 radiusDynAuthServCoABadAuthenticators Counter32, 334 radiusDynAuthServCoAPacketsDropped Counter32, 335 radiusDynAuthServUnknownTypes Counter32, 336 radiusDynAuthServerCounterDiscontinuity TimeTicks 337 } 339 radiusDynAuthClientIndex OBJECT-TYPE 340 SYNTAX Integer32 (1..2147483647) 341 MAX-ACCESS not-accessible 342 STATUS current 343 DESCRIPTION 344 "A number uniquely identifying each RADIUS Dynamic 345 Authorization Client with which this Dynamic 346 Authorization Server communicates. This number is 347 allocated by the agent implementing this MIB module, 348 and is unique in this context." 349 ::= { radiusDynAuthClientEntry 1 } 351 radiusDynAuthClientAddressType OBJECT-TYPE 352 SYNTAX InetAddressType 353 MAX-ACCESS read-only 354 STATUS current 355 DESCRIPTION 356 "The type of IP address of the RADIUS Dynamic 357 Authorization Client referred to in this table entry." 358 ::= { radiusDynAuthClientEntry 2 } 360 radiusDynAuthClientAddress OBJECT-TYPE 361 SYNTAX InetAddress 362 MAX-ACCESS read-only 363 STATUS current 364 DESCRIPTION 365 "The IP address value of the RADIUS Dynamic 366 Authorization Client referred to in this table entry, 367 using the version neutral IP address format. The type 368 of this address is determined by the value of 369 the radiusDynAuthClientAddressType object." 370 ::= { radiusDynAuthClientEntry 3 } 372 radiusDynAuthServDisconRequests OBJECT-TYPE 373 SYNTAX Counter32 374 UNITS "requests" 375 MAX-ACCESS read-only 376 STATUS current 377 DESCRIPTION 378 "The number of RADIUS Disconnect-Requests received 379 from this Dynamic Authorization Client. This also 380 includes the RADIUS Disconnect-Requests that have a 381 Service-Type attribute with value 'Authorize Only'. 382 This counter may experience a discontinuity when the 383 DAS module (re)starts as indicated by the value of 384 radiusDynAuthServerCounterDiscontinuity." 385 REFERENCE 386 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 387 ::= { radiusDynAuthClientEntry 4 } 389 radiusDynAuthServDisconAuthOnlyRequests OBJECT-TYPE 390 SYNTAX Counter32 391 UNITS "requests" 392 MAX-ACCESS read-only 393 STATUS current 394 DESCRIPTION 395 "The number of RADIUS Disconnect-Requests that include 396 a Service-Type attribute with value 'Authorize Only' 397 received from this Dynamic Authorization Client. This 398 counter may experience a discontinuity when the DAS 399 module (re)starts as indicated by the value of 400 radiusDynAuthServerCounterDiscontinuity." 401 REFERENCE 402 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 403 ::= { radiusDynAuthClientEntry 5 } 405 radiusDynAuthServDupDisconRequests OBJECT-TYPE 406 SYNTAX Counter32 407 UNITS "requests" 408 MAX-ACCESS read-only 409 STATUS current 410 DESCRIPTION 411 "The number of duplicate RADIUS Disconnect-Request 412 packets received from this Dynamic Authorization 413 Client. This counter may experience a discontinuity 414 when the DAS module (re)starts as indicated by the 415 value of radiusDynAuthServerCounterDiscontinuity." 416 REFERENCE 417 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 418 ::= { radiusDynAuthClientEntry 6 } 420 radiusDynAuthServDisconAcks OBJECT-TYPE 421 SYNTAX Counter32 422 UNITS "replies" 423 MAX-ACCESS read-only 424 STATUS current 425 DESCRIPTION 426 "The number of RADIUS Disconnect-ACK packets sent to 427 this Dynamic Authorization Client. This counter may 428 experience a discontinuity when the DAS module 429 (re)starts as indicated by the value of 430 radiusDynAuthServerCounterDiscontinuity." 431 REFERENCE 432 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 433 ::= { radiusDynAuthClientEntry 7 } 435 radiusDynAuthServDisconNaks OBJECT-TYPE 436 SYNTAX Counter32 437 UNITS "replies" 438 MAX-ACCESS read-only 439 STATUS current 440 DESCRIPTION 441 "The number of RADIUS Disconnect-NAK packets 442 sent to this Dynamic Authorization Client. This 443 includes the RADIUS Disconnect-NAK packets sent 444 with a Service-Type attribute with value 'Authorize 445 Only' and the RADIUS Disconnect-NAK packets sent 446 because no session context was found. This counter 447 may experience a discontinuity when the DAS module 448 (re)starts as indicated by the value of 449 radiusDynAuthServerCounterDiscontinuity." 450 REFERENCE 451 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 452 ::= { radiusDynAuthClientEntry 8 } 454 radiusDynAuthServDisconNakAuthOnlyRequests OBJECT-TYPE 455 SYNTAX Counter32 456 UNITS "replies" 457 MAX-ACCESS read-only 458 STATUS current 459 DESCRIPTION 460 "The number of RADIUS Disconnect-NAK packets that 461 include a Service-Type attribute with value 462 'Authorize Only' sent to this Dynamic Authorization 463 Client. This counter may experience a discontinuity 464 when the DAS module (re)starts as indicated by the 465 value of radiusDynAuthServerCounterDiscontinuity." 466 REFERENCE 467 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 468 ::= { radiusDynAuthClientEntry 9 } 470 radiusDynAuthServDisconNakSessNoContext OBJECT-TYPE 471 SYNTAX Counter32 472 UNITS "replies" 473 MAX-ACCESS read-only 474 STATUS current 475 DESCRIPTION 476 "The number of RADIUS Disconnect-NAK packets 477 sent to this Dynamic Authorization Client 478 because no session context was found. This counter may 479 experience a discontinuity when the DAS module 480 (re)starts as indicated by the value of 481 radiusDynAuthServerCounterDiscontinuity." 482 REFERENCE 483 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 484 ::= { radiusDynAuthClientEntry 10 } 486 radiusDynAuthServDisconUserSessRemoved OBJECT-TYPE 487 SYNTAX Counter32 488 UNITS "sessions" 489 MAX-ACCESS read-only 490 STATUS current 491 DESCRIPTION 492 "The number of user sessions removed for the 493 Disconnect-Requests received from this 494 Dynamic Authorization Client. Depending on site 495 specific policies, a single Disconnect request 496 can remove multiple user sessions. In the case 497 that this Dynamic Authorization Server has no 498 knowledge of the number of user sessions that 499 are affected by a single request, for each such 500 Disconnect-Request, it will count as a single 501 affected user session only. This counter may experience 502 a discontinuity when the DAS module (re)starts as 503 indicated by the value of 504 radiusDynAuthServerCounterDiscontinuity." 505 REFERENCE 506 "RFC 3576, Section 2.1, Disconnect Messages (DM)." 507 ::= { radiusDynAuthClientEntry 11 } 509 radiusDynAuthServMalformedDisconRequests OBJECT-TYPE 510 SYNTAX Counter32 511 UNITS "requests" 512 MAX-ACCESS read-only 513 STATUS current 514 DESCRIPTION 515 "The number of malformed RADIUS Disconnect-Request 516 packets received from this Dynamic Authorization 517 Client. Bad authenticators and unknown types are not 518 included as malformed Disconnect-Requests. This counter 519 may experience a discontinuity when the DAS module 520 (re)starts as indicated by the value of 521 radiusDynAuthServerCounterDiscontinuity." 522 REFERENCE 523 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 524 Section 2.3, Packet Format." 525 ::= { radiusDynAuthClientEntry 12 } 527 radiusDynAuthServDisconBadAuthenticators OBJECT-TYPE 528 SYNTAX Counter32 529 UNITS "requests" 530 MAX-ACCESS read-only 531 STATUS current 532 DESCRIPTION 533 "The number of RADIUS Disconnect-Request packets 534 which contained invalid Authenticator field 535 received from this Dynamic Authorization Client. This 536 counter may experience a discontinuity when the DAS 537 module (re)starts as indicated by the value of 538 radiusDynAuthServerCounterDiscontinuity." 539 REFERENCE 540 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 541 Section 2.3, Packet Format." 542 ::= { radiusDynAuthClientEntry 13 } 544 radiusDynAuthServDisconPacketsDropped OBJECT-TYPE 545 SYNTAX Counter32 546 UNITS "requests" 547 MAX-ACCESS read-only 548 STATUS current 549 DESCRIPTION 550 "The number of incoming Disconnect-Requests 551 from this Dynamic Authorization Client silently 552 discarded by the server application for some reason 553 other than malformed, bad authenticators or unknown 554 types. This counter may experience a discontinuity 555 when the DAS module (re)starts as indicated by the 556 value of radiusDynAuthServerCounterDiscontinuity." 557 REFERENCE 558 "RFC 3576, Section 2.1, Disconnect Messages (DM), and 559 Section 2.3, Packet Format." 560 ::= { radiusDynAuthClientEntry 14 } 562 radiusDynAuthServCoARequests OBJECT-TYPE 563 SYNTAX Counter32 564 UNITS "requests" 565 MAX-ACCESS read-only 566 STATUS current 567 DESCRIPTION 568 "The number of RADIUS CoA-requests received from this 569 Dynamic Authorization Client. This also includes 570 the CoA requests that have a Service-Type attribute 571 with value 'Authorize Only'. This counter may 572 experience a discontinuity when the DAS module 573 (re)starts as indicated by the value of 574 radiusDynAuthServerCounterDiscontinuity." 575 REFERENCE 576 "RFC 3576, Section 2.2, Change-of-Authorization 577 Messages (CoA)." 578 ::= { radiusDynAuthClientEntry 15 } 580 radiusDynAuthServCoAAuthOnlyRequests OBJECT-TYPE 581 SYNTAX Counter32 582 UNITS "requests" 583 MAX-ACCESS read-only 584 STATUS current 585 DESCRIPTION 586 "The number of RADIUS CoA-requests that include a 587 Service-Type attribute with value 'Authorize Only' 588 received from this Dynamic Authorization Client. This 589 counter may experience a discontinuity when the DAS 590 module (re)starts as indicated by the value of 591 radiusDynAuthServerCounterDiscontinuity." 592 REFERENCE 593 "RFC 3576, Section 2.2, Change-of-Authorization 594 Messages (CoA)." 595 ::= { radiusDynAuthClientEntry 16 } 597 radiusDynAuthServDupCoARequests OBJECT-TYPE 598 SYNTAX Counter32 599 UNITS "requests" 600 MAX-ACCESS read-only 601 STATUS current 602 DESCRIPTION 603 "The number of duplicate RADIUS CoA-Request packets 604 received from this Dynamic Authorization Client. This 605 counter may experience a discontinuity when the DAS 606 module (re)starts as indicated by the value of 607 radiusDynAuthServerCounterDiscontinuity." 608 REFERENCE 609 "RFC 3576, Section 2.2, Change-of-Authorization 610 Messages (CoA)." 611 ::= { radiusDynAuthClientEntry 17 } 613 radiusDynAuthServCoAAcks OBJECT-TYPE 614 SYNTAX Counter32 615 UNITS "replies" 616 MAX-ACCESS read-only 617 STATUS current 618 DESCRIPTION 619 "The number of RADIUS CoA-ACK packets sent to this 620 Dynamic Authorization Client. This counter may 621 experience a discontinuity when the DAS module 622 (re)starts as indicated by the value of 623 radiusDynAuthServerCounterDiscontinuity." 624 REFERENCE 625 "RFC 3576, Section 2.2, Change-of-Authorization 626 Messages (CoA)." 627 ::= { radiusDynAuthClientEntry 18 } 629 radiusDynAuthServCoANaks OBJECT-TYPE 630 SYNTAX Counter32 631 UNITS "replies" 632 MAX-ACCESS read-only 633 STATUS current 634 DESCRIPTION 635 "The number of RADIUS CoA-NAK packets sent to 636 this Dynamic Authorization Client. This includes 637 the RADIUS CoA-NAK packets sent with a Service-Type 638 attribute with value 'Authorize Only' and the RADIUS 639 CoA-NAK packets sent because no session context was 640 found. This counter may experience a discontinuity 641 when the DAS module (re)starts as indicated by the 642 value of radiusDynAuthServerCounterDiscontinuity." 643 REFERENCE 644 "RFC 3576, Section 2.2, Change-of-Authorization 645 Messages (CoA)." 646 ::= { radiusDynAuthClientEntry 19 } 648 radiusDynAuthServCoANakAuthOnlyRequests OBJECT-TYPE 649 SYNTAX Counter32 650 UNITS "replies" 651 MAX-ACCESS read-only 652 STATUS current 653 DESCRIPTION 654 "The number of RADIUS CoA-NAK packets that include a 655 Service-Type attribute with value 'Authorize Only' 656 sent to this Dynamic Authorization Client. This counter 657 may experience a discontinuity when the DAS module 658 (re)starts as indicated by the value of 659 radiusDynAuthServerCounterDiscontinuity." 660 REFERENCE 661 "RFC 3576, Section 2.2, Change-of-Authorization 662 Messages (CoA)." 663 ::= { radiusDynAuthClientEntry 20 } 665 radiusDynAuthServCoANakSessNoContext OBJECT-TYPE 666 SYNTAX Counter32 667 UNITS "replies" 668 MAX-ACCESS read-only 669 STATUS current 670 DESCRIPTION 671 "The number of RADIUS CoA-NAK packets sent to this 672 Dynamic Authorization Client because no session context 673 was found. This counter may experience a discontinuity 674 when the DAS module (re)starts as indicated by the 675 value of radiusDynAuthServerCounterDiscontinuity." 676 REFERENCE 677 "RFC 3576, Section 2.2, Change-of-Authorization 678 Messages (CoA)." 679 ::= { radiusDynAuthClientEntry 21 } 681 radiusDynAuthServCoAUserSessChanged OBJECT-TYPE 682 SYNTAX Counter32 683 UNITS "sessions" 684 MAX-ACCESS read-only 685 STATUS current 686 DESCRIPTION 687 "The number of user sessions authorization 688 changed for the CoA-Requests received from this 689 Dynamic Authorization Client. Depending on site 690 specific policies, a single CoA request can change 691 multiple user sessions' authorization. In the case 692 this Dynamic Authorization Server has no knowledge of 693 the number of user sessions that are affected by a 694 single request, for each such CoA-Request, it will 695 count as a single affected user session only. This 696 counter may experience a discontinuity when the DAS 697 module (re)starts as indicated by the value of 698 radiusDynAuthServerCounterDiscontinuity." 699 REFERENCE 700 "RFC 3576, Section 2.2, Change-of-Authorization 701 Messages (CoA)." 702 ::= { radiusDynAuthClientEntry 22 } 704 radiusDynAuthServMalformedCoARequests OBJECT-TYPE 705 SYNTAX Counter32 706 UNITS "requests" 707 MAX-ACCESS read-only 708 STATUS current 709 DESCRIPTION 710 "The number of malformed RADIUS CoA-Request packets 711 received from this Dynamic Authorization Client. Bad 712 authenticators and unknown types are not included as 713 malformed CoA-Requests. This counter may experience a 714 discontinuity when the DAS module (re)starts as 715 indicated by the value of 716 radiusDynAuthServerCounterDiscontinuity." 717 REFERENCE 718 "RFC 3576, Section 2.2, Change-of-Authorization 719 Messages (CoA), and Section 2.3, Packet Format." 720 ::= { radiusDynAuthClientEntry 23 } 722 radiusDynAuthServCoABadAuthenticators OBJECT-TYPE 723 SYNTAX Counter32 724 UNITS "requests" 725 MAX-ACCESS read-only 726 STATUS current 727 DESCRIPTION 728 "The number of RADIUS CoA-Request packets which 729 contained invalid Authenticator field received 730 from this Dynamic Authorization Client. This counter 731 may experience a discontinuity when the DAS module 732 (re)starts as indicated by the value of 733 radiusDynAuthServerCounterDiscontinuity." 734 REFERENCE 735 "RFC 3576, Section 2.2, Change-of-Authorization 736 Messages (CoA), and Section 2.3, Packet Format." 737 ::= { radiusDynAuthClientEntry 24 } 739 radiusDynAuthServCoAPacketsDropped OBJECT-TYPE 740 SYNTAX Counter32 741 UNITS "requests" 742 MAX-ACCESS read-only 743 STATUS current 744 DESCRIPTION 745 "The number of incoming CoA packets from this 746 Dynamic Authorization Client silently discarded 747 by the server application for some reason other than 748 malformed, bad authenticators or unknown types. This 749 counter may experience a discontinuity when the DAS 750 module (re)starts as indicated by the value of 751 radiusDynAuthServerCounterDiscontinuity." 752 REFERENCE 753 "RFC 3576, Section 2.2, Change-of-Authorization 754 Messages (CoA), and Section 2.3, Packet Format." 755 ::= { radiusDynAuthClientEntry 25 } 757 radiusDynAuthServUnknownTypes OBJECT-TYPE 758 SYNTAX Counter32 759 UNITS "requests" 760 MAX-ACCESS read-only 761 STATUS current 762 DESCRIPTION 763 "The number of incoming packets of unknown types which 764 were received on the Dynamic Authorization port. This 765 counter may experience a discontinuity when the DAS 766 module (re)starts as indicated by the value of 767 radiusDynAuthServerCounterDiscontinuity." 768 REFERENCE 769 "RFC 3576, Section 2.3, Packet Format." 770 ::= { radiusDynAuthClientEntry 26 } 772 radiusDynAuthServerCounterDiscontinuity OBJECT-TYPE 773 SYNTAX TimeTicks 774 UNITS "hundredths of a second" 775 MAX-ACCESS read-only 776 STATUS current 777 DESCRIPTION 778 "The time (in hundredths of a second) since the 779 last counter discontinuity. A discontinuity may 780 be the result of a reinitialization of the DAS 781 module within the managed entity." 782 ::= { radiusDynAuthClientEntry 27 } 784 -- conformance information 786 radiusDynAuthServerMIBConformance 787 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIB 2 } 788 radiusDynAuthServerMIBCompliances 789 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 1 } 790 radiusDynAuthServerMIBGroups 791 OBJECT IDENTIFIER ::= { radiusDynAuthServerMIBConformance 2 } 793 -- compliance statements 795 radiusAuthServerMIBCompliance MODULE-COMPLIANCE 796 STATUS current 797 DESCRIPTION 798 "The compliance statement for entities implementing 799 the RADIUS Dynamic Authorization Server. Implementation 800 of this module is for entities that support IPv4 and/or 801 IPv6." 802 MODULE -- this module 803 MANDATORY-GROUPS { radiusDynAuthServerMIBGroup } 805 OBJECT radiusDynAuthClientAddressType 806 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 807 DESCRIPTION 808 "An implementation is only required to support IPv4 and 809 globally unique IPv6 addresses." 811 OBJECT radiusDynAuthClientAddress 812 SYNTAX InetAddress (SIZE(4|16)) 813 DESCRIPTION 814 "An implementation is only required to support IPv4 and 815 globally unique IPv6 addresses." 817 GROUP radiusDynAuthServerAuthOnlyGroup 818 DESCRIPTION 819 "Only required for Dynamic Authorization Clients that 820 are supporting Service-Type attributes with value 821 'Authorize-Only'." 823 GROUP radiusDynAuthServerNoSessGroup 824 DESCRIPTION 825 "This group is not required in case the Dynamic 826 Authorization Server can not easily determine whether 827 a session exists or not (e.g., in case of a RADIUS 828 proxy)." 830 ::= { radiusDynAuthServerMIBCompliances 1 } 832 -- units of conformance 834 radiusDynAuthServerMIBGroup OBJECT-GROUP 835 OBJECTS { radiusDynAuthServerDisconInvalidClientAddresses, 836 radiusDynAuthServerCoAInvalidClientAddresses, 837 radiusDynAuthServerIdentifier, 838 radiusDynAuthClientAddressType, 839 radiusDynAuthClientAddress, 840 radiusDynAuthServDisconRequests, 841 radiusDynAuthServDupDisconRequests, 842 radiusDynAuthServDisconAcks, 843 radiusDynAuthServDisconNaks, 844 radiusDynAuthServDisconUserSessRemoved, 845 radiusDynAuthServMalformedDisconRequests, 846 radiusDynAuthServDisconBadAuthenticators, 847 radiusDynAuthServDisconPacketsDropped, 848 radiusDynAuthServCoARequests, 849 radiusDynAuthServDupCoARequests, 850 radiusDynAuthServCoAAcks, 851 radiusDynAuthServCoANaks, 852 radiusDynAuthServCoAUserSessChanged, 853 radiusDynAuthServMalformedCoARequests, 854 radiusDynAuthServCoABadAuthenticators, 855 radiusDynAuthServCoAPacketsDropped, 856 radiusDynAuthServUnknownTypes, 857 radiusDynAuthServerCounterDiscontinuity 858 } 859 STATUS current 860 DESCRIPTION 861 "The collection of objects providing management of 862 a RADIUS Dynamic Authorization Server." 863 ::= { radiusDynAuthServerMIBGroups 1 } 865 radiusDynAuthServerAuthOnlyGroup OBJECT-GROUP 866 OBJECTS { radiusDynAuthServDisconAuthOnlyRequests, 867 radiusDynAuthServDisconNakAuthOnlyRequests, 868 radiusDynAuthServCoAAuthOnlyRequests, 869 radiusDynAuthServCoANakAuthOnlyRequests 870 } 871 STATUS current 872 DESCRIPTION 873 "The collection of objects supporting the RADIUS 874 messages including Service-Type attribute with 875 value 'Authorize Only'." 876 ::= { radiusDynAuthServerMIBGroups 2 } 878 radiusDynAuthServerNoSessGroup OBJECT-GROUP 879 OBJECTS { radiusDynAuthServDisconNakSessNoContext, 880 radiusDynAuthServCoANakSessNoContext 881 } 882 STATUS current 883 DESCRIPTION 884 "The collection of objects supporting the RADIUS 885 messages that are referring to non existing sessions." 886 ::= { radiusDynAuthServerMIBGroups 3 } 888 END 890 5. Security Considerations 892 There are no management objects defined in this MIB module that have 893 a MAX-ACCESS clause of read-write and/or read-create. So, if this 894 MIB module is implemented correctly, then there is no risk that an 895 intruder can alter or create any management objects of this MIB 896 module via direct SNMP SET operations 898 Some of the readable objects in this MIB module (i.e., objects with a 899 MAX-ACCESS other than not-accessible) may be considered sensitive or 900 vulnerable in some network environments. It is thus important to 901 control even GET and/or NOTIFY access to these objects and possibly 902 to even encrypt the values of these objects when sending them over 903 the network via SNMP. These are the tables and objects and their 904 sensitivity/vulnerability: 906 radiusDynAuthClientAddress and radiusDynAuthClientAddressType 908 These can be used to determine the address of the DAC with which the 909 DAS is communicating. This information could be useful in mounting 910 an attack on the DAC. 912 radiusDynAuthServerIdentifier 914 This can be used to determine the Identifier of the DAS. This 915 information could be useful in impersonating the DAS. 917 SNMP versions prior to SNMPv3 did not include adequate security. 918 Even if the network itself is secure (for example by using IPsec), 919 even then, there is no control as to who on the secure network is 920 allowed to access and GET/SET (read/change/create/delete) the objects 921 in this MIB module. 923 It is RECOMMENDED that implementers consider the security features as 924 provided by the SNMPv3 framework (see [RFC3410], section 8), 925 including full support for the SNMPv3 cryptographic mechanisms (for 926 authentication and privacy). 928 Further, deployment of SNMP versions prior to SNMPv3 is NOT 929 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 930 enable cryptographic security. It is then a customer/operator 931 responsibility to ensure that the SNMP entity giving access to an 932 instance of this MIB module is properly configured to give access to 933 the objects only to those principals (users) that have legitimate 934 rights to indeed GET or SET (change/create/delete) them. 936 6. IANA considerations 938 IANA is requested to assign an OID xxx under mib-2. 940 7. Acknowledgements 942 The authors would also like to acknowledge the following people for 943 their comments on this document: Bernard Aboba, Alan DeKok, David 944 Nelson, Anjaneyulu Pata, Dan Romascanu, Juergen Schoenwaelder, Greg 945 Weber, Bert Wijnen and Glen Zorn. 947 8. References 949 8.1. Normative References 951 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 952 Requirement Levels", RFC 2119, March 1997. 954 [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 955 Rose, M., and S. Waldbusser, "Structure of Management 956 Information Version 2 (SMIv2)", STD 58, RFC 2578, 957 April 1999. 959 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 960 Rose, M., and S. Waldbusser, "Textual Conventions for 961 SMIv2", STD 58, RFC 2579, April 1999. 963 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., 964 Rose, M., and S. Waldbusser, "Conformance Statements for 965 SMIv2", STD 58, RFC 2580, April 1999. 967 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 968 Architecture for Describing Simple Network Management 969 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 970 December 2002. 972 [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 973 Aboba, "Dynamic Authorization Extensions to Remote 974 Authentication Dial In User Service (RADIUS)", RFC 3576, 975 July 2003. 977 [RFC4001] Daniele, M. and et al., "Textual Conventions for Internet 978 Network Addresses", RFC 4001, February 2005. 980 8.2. Informative References 982 [DYNCLNT] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS Dynamic 983 Authorization Client MIB", 984 draft-ietf-radext-dynauth-client-mib-05.txt, work in 985 progress, December 2005. 987 [RFC2618bis] 988 Nelson, D., "RADIUS Auth Client MIB (IPv6)", 989 draft-ietf-radext-rfc2618bis-01.txt work in progress, 990 October 2005. 992 [RFC2619bis] 993 Nelson, D., "RADIUS Auth Server MIB (IPv6)", 994 draft-ietf-radext-rfc2619bis-01.txt work in progress, 995 October 2005. 997 [RFC2620bis] 998 Nelson, D., "RADIUS Acct Client MIB (IPv6)", 999 draft-ietf-radext-rfc2620bis-01.txt work in progress, 1000 October 2005. 1002 [RFC2621bis] 1003 Nelson, D., "RADIUS Acct Server MIB (IPv6)", 1004 draft-ietf-radext-rfc2621bis-01.txt work in progress, 1005 October 2005. 1007 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1008 "Remote Authentication Dial In User Service (RADIUS)", 1009 RFC 2865, June 2000. 1011 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1012 "Introduction and Applicability Statements for Internet- 1013 Standard Management Framework", RFC 3410, December 2002. 1015 Authors' Addresses 1017 Stefaan De Cnodder 1018 Alcatel 1019 Francis Wellesplein 1 1020 B-2018 Antwerp 1021 Belgium 1023 Phone: +32 3 240 85 15 1024 Email: stefaan.de_cnodder@alcatel.be 1026 Nagi Reddy Jonnala 1027 Cisco Systems, Inc. 1028 Divyasree Chambers, B Wing, O'Shaugnessy Road 1029 Bangalore-560027, India 1031 Phone: +91 94487 60828 1032 Email: njonnala@cisco.com 1034 Murtaza Chiba 1035 Cisco Systems, Inc. 1036 170 West Tasman Dr. 1037 San Jose CA, 95134 1039 Phone: +1 408 525 7198 1040 Email: mchiba@cisco.com 1042 Intellectual Property Statement 1044 The IETF takes no position regarding the validity or scope of any 1045 Intellectual Property Rights or other rights that might be claimed to 1046 pertain to the implementation or use of the technology described in 1047 this document or the extent to which any license under such rights 1048 might or might not be available; nor does it represent that it has 1049 made any independent effort to identify any such rights. Information 1050 on the procedures with respect to rights in RFC documents can be 1051 found in BCP 78 and BCP 79. 1053 Copies of IPR disclosures made to the IETF Secretariat and any 1054 assurances of licenses to be made available, or the result of an 1055 attempt made to obtain a general license or permission for the use of 1056 such proprietary rights by implementers or users of this 1057 specification can be obtained from the IETF on-line IPR repository at 1058 http://www.ietf.org/ipr. 1060 The IETF invites any interested party to bring to its attention any 1061 copyrights, patents or patent applications, or other proprietary 1062 rights that may cover technology that may be required to implement 1063 this standard. Please address the information to the IETF at 1064 ietf-ipr@ietf.org. 1066 Disclaimer of Validity 1068 This document and the information contained herein are provided on an 1069 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1070 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1071 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1072 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1073 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1074 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1076 Copyright Statement 1078 Copyright (C) The Internet Society (2006). This document is subject 1079 to the rights, licenses and restrictions contained in BCP 78, and 1080 except as set forth therein, the authors retain all their rights. 1082 Acknowledgment 1084 Funding for the RFC Editor function is currently provided by the 1085 Internet Society.