idnits 2.17.1 draft-ietf-radext-rfc2618bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 911. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 888. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 895. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 901. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year (Using the creation date from RFC2618, updated by this document, for RFC5378 checks: 1997-08-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 30, 2005) is 6813 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 110, but not defined == Unused Reference: 'RFC3418' is defined on line 845, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Updates: RFC 2618 (if approved) August 30, 2005 5 Expires: March 3, 2006 7 RADIUS Auth Client MIB (IPv6) 8 draft-ietf-radext-rfc2618bis-00.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on March 3, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo updates RFC 2618 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. 45 Table of Contents 47 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 48 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 3. The Internet-Standard Management Framework . . . . . . . . . . 3 50 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 51 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 52 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 53 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 55 9. Security Considerations . . . . . . . . . . . . . . . . . . . 17 56 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 57 10.1. Normative References . . . . . . . . . . . . . . . . . . 18 58 10.2. Informative References . . . . . . . . . . . . . . . . . 19 59 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 19 60 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20 61 Intellectual Property and Copyright Statements . . . . . . . . . . 21 63 1. Terminology 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in RFC 2119 [RFC2119]. 69 This document uses terminology from RFC 2865 [RFC2865]. 71 2. Introduction 73 This memo defines a portion of the Management Information Base (MIB) 74 for use with network management protocols in the Internet community. 75 The objects defined within this memo relate to the Remote 76 Authentication Dial-In User Service (RADIUS) Authentication Client as 77 defined in RFC 2865 [RFC2865]. 79 3. The Internet-Standard Management Framework 81 For a detailed overview of the documents that describe the current 82 Internet-Standard Management Framework, please refer to section 7 of 83 RFC 3410 [RFC3410]. 85 Managed objects are accessed via a virtual information store, termed 86 the Management Information Base or MIB. MIB objects are generally 87 accessed through the Simple Network Management Protocol (SNMP). 88 Objects in the MIB are defined using the mechanisms defined in the 89 Structure of Management Information (SMI). This memo specifies a MIB 90 module that is compliant to the SMIv2, which is described in STD 58, 91 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 92 [RFC2580]. 94 4. Scope of Changes 96 This document updates RFC 2618 [RFC2618], RADIUS Authentication 97 Client MIB, by deprecating the radiusAuthServerTable table and adding 98 a new table, radiusAuthServerExtTable, containing 99 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 100 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 101 objects is to support version neutral IP addressing formats. The 102 existing table containing radiusAuthServerAddress and 103 radiusAuthClientServerPortNumber is deprecated. 105 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 106 IPv6 addresses, contains the following recommendation. 108 'In particular, when revising a MIB module that contains IPv4 109 specific tables, it is suggested to define new tables using the 110 textual conventions defined in this memo [RFC 4001] that support all 111 versions of IP. The status of the new tables SHOULD be "current", 112 whereas the status of the old IP version specific tables SHOULD be 113 changed to "deprecated". The other approach, of having multiple 114 similar tables for different IP versions, is strongly discouraged.' 116 5. Structure of the MIB Module 118 The structure of the MIB Module defined in this memo corresponds to 119 the structure of the MIB Module defined in RADIUS Authentication 120 Client MIB, RFC 2618 [RFC2618]. This MIB module contains two scalars 121 as well as a single table, the RADIUS Authentication Server Table, 122 which contains one row for each RADIUS authentication server with 123 which the client shares a secret. 125 Each entry in the RADIUS Authentication Server Table includes sixteen 126 columns presenting a view of the activity of the RADIUS 127 authentication client. 129 6. Deprecated Objects 131 The deprecated table in this MIB is carried forward from RFC 2618 132 [RFC2618]. There are two conditions under which it MAY be desirable 133 for managed entities to continue to support the deprecated table: 135 1. The managed entity only supports IPv4 address formats. 136 2. The managed entity supports both IPv4 and IPv6 address formats, 137 and the deprecated table is supported for backwards compatibility 138 with older management stations. This option SHOULD only be used 139 when the IP addresses in the new table are in IPv4 format and can 140 accurately be represented in both the new table and the 141 deprecated table. 143 Managed entities SHOULD NOT instantiate the deprecated table 144 containing IPv4-only address objects when the RADIUS server address 145 represented in the table row is not an IPv4 address. Managed 146 entities SHOULD NOT return inaccurate values of IP address or SNMP 147 object access errors for IPv4-only address objects in otherwise 148 populated tables. 150 7. Definitions 152 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 153 IMPORTS 154 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 155 Counter32, Integer32, Gauge32, 156 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 157 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 158 InetAddressType, InetAddress, 159 InetPortNumber FROM INET-ADDRESS-MIB 160 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 162 radiusAuthClientMIB MODULE-IDENTITY 163 LAST-UPDATED "200508300000Z" -- 30 Aug 2005 164 ORGANIZATION "IETF RADIUS Extensions Working Group." 165 CONTACT-INFO 166 " Bernard Aboba 167 Microsoft 168 One Microsoft Way 169 Redmond, WA 98052 170 US 171 Phone: +1 425 936 6605 172 EMail: bernarda@microsoft.com" 173 DESCRIPTION 174 "The MIB module for entities implementing the client 175 side of the Remote Authentication Dial-In User Service 176 (RADIUS) authentication protocol." 177 REVISION "9906110000Z" -- 11 Jun 1999 178 DESCRIPTION "Initial version as published in RFC 2618" 179 REVISION "200508300000Z" -- 30 Aug 2005 180 DESCRIPTION "Revised version as published in RFC xxxx" 182 -- RFC Editor: replace xxxx with actual RFC number at the time of 183 -- publication, and remove this note. 185 ::= { radiusAuthentication 2 } 187 radiusMIB OBJECT-IDENTITY 188 STATUS current 189 DESCRIPTION 190 "The OID assigned to RADIUS MIB work by the IANA." 191 ::= { mib-2 67 } 193 radiusAuthClientExtMIB OBJECT-IDENTITY 194 STATUS current 195 DESCRIPTION 196 "The OID assigned to RADIUS Extensions MIB work by 197 the IANA." 198 ::= { mib-2 TBA } 200 -- RFC Editor: replace TBA with IANA assigned OID value, and 201 -- remove this note. 203 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 205 radiusAuthClientMIBObjects OBJECT IDENTIFIER 206 ::= { radiusAuthClientMIB 1 } 208 radiusAuthClient OBJECT IDENTIFIER 209 ::= { radiusAuthClientMIBObjects 1 } 211 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 212 SYNTAX Counter32 213 MAX-ACCESS read-only 214 STATUS current 215 DESCRIPTION 216 "The number of RADIUS Access-Response packets 217 received from unknown addresses." 218 ::= { radiusAuthClient 1 } 220 radiusAuthClientIdentifier OBJECT-TYPE 221 SYNTAX SnmpAdminString 222 MAX-ACCESS read-only 223 STATUS current 224 DESCRIPTION 225 "The NAS-Identifier of the RADIUS authentication client. 226 This is not necessarily the same as sysName in MIB II." 227 ::= { radiusAuthClient 2 } 229 radiusAuthServerTable OBJECT-TYPE 230 SYNTAX SEQUENCE OF RadiusAuthServerEntry 231 MAX-ACCESS not-accessible 232 STATUS deprecated 233 DESCRIPTION 234 "The (conceptual) table listing the RADIUS authentication 235 servers with which the client shares a secret." 236 ::= { radiusAuthClient 3 } 238 radiusAuthServerEntry OBJECT-TYPE 239 SYNTAX RadiusAuthServerEntry 240 MAX-ACCESS not-accessible 241 STATUS deprecated 242 DESCRIPTION 243 "An entry (conceptual row) representing a RADIUS 244 authentication server with which the client shares 245 a secret." 246 INDEX { radiusAuthServerIndex } 247 ::= { radiusAuthServerTable 1 } 249 RadiusAuthServerEntry ::= SEQUENCE { 250 radiusAuthServerIndex Integer32, 251 radiusAuthServerAddress IpAddress, 252 radiusAuthClientServerPortNumber Integer32, 253 radiusAuthClientRoundTripTime TimeTicks, 254 radiusAuthClientAccessRequests Counter32, 255 radiusAuthClientAccessRetransmissions Counter32, 256 radiusAuthClientAccessAccepts Counter32, 257 radiusAuthClientAccessRejects Counter32, 258 radiusAuthClientAccessChallenges Counter32, 259 radiusAuthClientMalformedAccessResponses Counter32, 260 radiusAuthClientBadAuthenticators Counter32, 261 radiusAuthClientPendingRequests Gauge32, 262 radiusAuthClientTimeouts Counter32, 263 radiusAuthClientUnknownTypes Counter32, 264 radiusAuthClientPacketsDropped Counter32 265 } 267 radiusAuthServerIndex OBJECT-TYPE 268 SYNTAX Integer32 (1..2147483647) 269 MAX-ACCESS not-accessible 270 STATUS deprecated 271 DESCRIPTION 272 "A number uniquely identifying each RADIUS 273 Authentication server with which this client 274 communicates." 275 ::= { radiusAuthServerEntry 1 } 277 radiusAuthServerAddress OBJECT-TYPE 278 SYNTAX IpAddress 279 MAX-ACCESS read-only 280 STATUS deprecated 281 DESCRIPTION 282 "The IP address of the RADIUS authentication server 283 referred to in this table entry." 284 ::= { radiusAuthServerEntry 2 } 286 radiusAuthClientServerPortNumber OBJECT-TYPE 287 SYNTAX Integer32 (0..65535) 288 MAX-ACCESS read-only 289 STATUS deprecated 290 DESCRIPTION 291 "The UDP port the client is using to send requests to 292 this server." 293 ::= { radiusAuthServerEntry 3 } 295 radiusAuthClientRoundTripTime OBJECT-TYPE 296 SYNTAX TimeTicks 297 MAX-ACCESS read-only 298 STATUS deprecated 299 DESCRIPTION 300 "The time interval (in hundredths of a second) between 301 the most recent Access-Reply/Access-Challenge and the 302 Access-Request that matched it from this RADIUS 303 authentication server." 304 ::= { radiusAuthServerEntry 4 } 306 -- Request/Response statistics 307 -- 308 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 309 -- UnknownTypes 310 -- 311 -- TotalIncomingPackets - MalformedResponses - 312 -- BadAuthenticators - UnknownTypes - PacketsDropped = 313 -- Successfully received 314 -- 315 -- AccessRequests + PendingRequests + ClientTimeouts = 316 -- Successfully received 317 -- 318 -- 320 radiusAuthClientAccessRequests OBJECT-TYPE 321 SYNTAX Counter32 322 MAX-ACCESS read-only 323 STATUS deprecated 324 DESCRIPTION 325 "The number of RADIUS Access-Request packets sent 326 to this server. This does not include retransmissions." 327 ::= { radiusAuthServerEntry 5 } 329 radiusAuthClientAccessRetransmissions OBJECT-TYPE 330 SYNTAX Counter32 331 MAX-ACCESS read-only 332 STATUS deprecated 333 DESCRIPTION 334 "The number of RADIUS Access-Request packets 335 retransmitted to this RADIUS authentication server." 336 ::= { radiusAuthServerEntry 6 } 338 radiusAuthClientAccessAccepts OBJECT-TYPE 339 SYNTAX Counter32 340 MAX-ACCESS read-only 341 STATUS deprecated 342 DESCRIPTION 343 "The number of RADIUS Access-Accept packets 344 (valid or invalid) received from this server." 346 ::= { radiusAuthServerEntry 7 } 348 radiusAuthClientAccessRejects OBJECT-TYPE 349 SYNTAX Counter32 350 MAX-ACCESS read-only 351 STATUS deprecated 352 DESCRIPTION 353 "The number of RADIUS Access-Reject packets 354 (valid or invalid) received from this server." 355 ::= { radiusAuthServerEntry 8 } 357 radiusAuthClientAccessChallenges OBJECT-TYPE 358 SYNTAX Counter32 359 MAX-ACCESS read-only 360 STATUS deprecated 361 DESCRIPTION 362 "The number of RADIUS Access-Challenge packets 363 (valid or invalid) received from this server." 364 ::= { radiusAuthServerEntry 9 } 366 -- "Access-Response" includes an Access-Accept, Access-Challenge 367 -- or Access-Reject 369 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 370 SYNTAX Counter32 371 MAX-ACCESS read-only 372 STATUS deprecated 373 DESCRIPTION 374 "The number of malformed RADIUS Access-Response 375 packets received from this server. 376 Malformed packets include packets with 377 an invalid length. Bad authenticators or 378 Message Authenticator attributes or unknown types 379 are not included as malformed access responses." 380 ::= { radiusAuthServerEntry 10 } 382 radiusAuthClientBadAuthenticators OBJECT-TYPE 383 SYNTAX Counter32 384 MAX-ACCESS read-only 385 STATUS deprecated 386 DESCRIPTION 387 "The number of RADIUS Access-Response packets 388 containing invalid authenticators or Message 389 Authenticator attributes received from this server." 390 ::= { radiusAuthServerEntry 11 } 392 radiusAuthClientPendingRequests OBJECT-TYPE 393 SYNTAX Gauge32 394 MAX-ACCESS read-only 395 STATUS deprecated 396 DESCRIPTION 397 "The number of RADIUS Access-Request packets 398 destined for this server that have not yet timed out 399 or received a response. This variable is incremented 400 when an Access-Request is sent and decremented due to 401 receipt of an Acess-Accept, Access-Reject or 402 Access-Challenge, a timeout or retransmission." 403 ::= { radiusAuthServerEntry 12 } 405 radiusAuthClientTimeouts OBJECT-TYPE 406 SYNTAX Counter32 407 MAX-ACCESS read-only 408 STATUS deprecated 409 DESCRIPTION 410 "The number of authentication timeouts to this server. 411 After a timeout the client may retry to the same 412 server, send to a different server, or 413 give up. A retry to the same server is counted as a 414 retransmit as well as a timeout. A send to a different 415 server is counted as a Request as well as a timeout." 416 ::= { radiusAuthServerEntry 13 } 418 radiusAuthClientUnknownTypes OBJECT-TYPE 419 SYNTAX Counter32 420 MAX-ACCESS read-only 421 STATUS deprecated 422 DESCRIPTION 423 "The number of RADIUS packets of unknown type which 424 were received from this server on the authentication 425 port." 426 ::= { radiusAuthServerEntry 14 } 428 radiusAuthClientPacketsDropped OBJECT-TYPE 429 SYNTAX Counter32 430 MAX-ACCESS read-only 431 STATUS deprecated 432 DESCRIPTION 433 "The number of RADIUS packets of which were 434 received from this server on the authentication port 435 and dropped for some other reason." 436 ::= { radiusAuthServerEntry 15 } 438 -- Extended MIB Objects 440 radiusAuthClientExtMIBNotifications OBJECT IDENTIFIER 441 ::= { radiusAuthClientExtMIB 0 } 443 radiusAuthClientExtMIBObjects OBJECT IDENTIFIER 444 ::= { radiusAuthClientExtMIB 1 } 446 radiusAuthClientExtMIBConformance OBJECT IDENTIFIER 447 ::= { radiusAuthClientExtMIB 2 } 449 radiusAuthServerExtTable OBJECT-TYPE 450 SYNTAX SEQUENCE OF RadiusAuthServerExtEntry 451 MAX-ACCESS not-accessible 452 STATUS current 453 DESCRIPTION 454 "The (conceptual) table listing the RADIUS authentication 455 servers with which the client shares a secret." 456 ::= { radiusAuthClientExtMIBObjects 1 } 458 radiusAuthServerExtEntry OBJECT-TYPE 459 SYNTAX RadiusAuthServerExtEntry 460 MAX-ACCESS not-accessible 461 STATUS current 462 DESCRIPTION 463 "An entry (conceptual row) representing a RADIUS 464 authentication server with which the client shares 465 a secret." 466 INDEX { radiusAuthServerExtIndex } 467 ::= { radiusAuthServerExtTable 1 } 469 RadiusAuthServerExtEntry ::= SEQUENCE { 470 radiusAuthServerExtIndex Integer32, 471 radiusAuthServerInetAddressType InetAddressType, 472 radiusAuthServerInetAddress InetAddress, 473 radiusAuthClientServerInetPortNumber InetPortNumber, 474 radiusAuthClientExtRoundTripTime TimeTicks, 475 radiusAuthClientExtAccessRequests Counter32, 476 radiusAuthClientExtAccessRetransmissions Counter32, 477 radiusAuthClientExtAccessAccepts Counter32, 478 radiusAuthClientExtAccessRejects Counter32, 479 radiusAuthClientExtAccessChallenges Counter32, 480 radiusAuthClientExtMalformedAccessResponses Counter32, 481 radiusAuthClientExtBadAuthenticators Counter32, 482 radiusAuthClientExtPendingRequests Gauge32, 483 radiusAuthClientExtTimeouts Counter32, 484 radiusAuthClientExtUnknownTypes Counter32, 485 radiusAuthClientExtPacketsDropped Counter32 486 } 488 radiusAuthServerExtIndex OBJECT-TYPE 489 SYNTAX Integer32 (1..2147483647) 490 MAX-ACCESS not-accessible 491 STATUS current 492 DESCRIPTION 493 "A number uniquely identifying each RADIUS 494 Authentication server with which this client 495 communicates." 496 ::= { radiusAuthServerExtEntry 1 } 498 radiusAuthServerInetAddressType OBJECT-TYPE 499 SYNTAX InetAddressType 500 MAX-ACCESS read-only 501 STATUS current 502 DESCRIPTION 503 "The type of address format used for the 504 radiusAuthServerInetAddress object." 505 ::= { radiusAuthServerExtEntry 2 } 507 radiusAuthServerInetAddress OBJECT-TYPE 508 SYNTAX InetAddress 509 MAX-ACCESS read-only 510 STATUS current 511 DESCRIPTION 512 "The IP address of the RADIUS authentication 513 server referred to in this table entry, using 514 the IPv6 adddess format." 515 ::= { radiusAuthServerExtEntry 3 } 517 radiusAuthClientServerInetPortNumber OBJECT-TYPE 518 SYNTAX InetPortNumber 519 MAX-ACCESS read-only 520 STATUS current 521 DESCRIPTION 522 "The UDP port the client is using to send requests 523 to this server." 524 ::= { radiusAuthServerExtEntry 4 } 526 radiusAuthClientExtRoundTripTime OBJECT-TYPE 527 SYNTAX TimeTicks 528 MAX-ACCESS read-only 529 STATUS current 530 DESCRIPTION 531 "The time interval (in hundredths of a second) between 532 the most recent Access-Reply/Access-Challenge and the 533 Access-Request that matched it from this RADIUS 534 authentication server." 535 ::= { radiusAuthServerExtEntry 5 } 537 -- Request/Response statistics 538 -- 539 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 540 -- UnknownTypes 541 -- 542 -- TotalIncomingPackets - MalformedResponses - 543 -- BadAuthenticators - UnknownTypes - PacketsDropped = 544 -- Successfully received 545 -- 546 -- AccessRequests + PendingRequests + ClientTimeouts = 547 -- Successfully received 548 -- 549 -- 551 radiusAuthClientExtAccessRequests OBJECT-TYPE 552 SYNTAX Counter32 553 MAX-ACCESS read-only 554 STATUS current 555 DESCRIPTION 556 "The number of RADIUS Access-Request packets sent 557 to this server. This does not include retransmissions." 558 ::= { radiusAuthServerExtEntry 6 } 560 radiusAuthClientExtAccessRetransmissions OBJECT-TYPE 561 SYNTAX Counter32 562 MAX-ACCESS read-only 563 STATUS current 564 DESCRIPTION 565 "The number of RADIUS Access-Request packets 566 retransmitted to this RADIUS authentication server." 567 ::= { radiusAuthServerExtEntry 7 } 569 radiusAuthClientExtAccessAccepts OBJECT-TYPE 570 SYNTAX Counter32 571 MAX-ACCESS read-only 572 STATUS current 573 DESCRIPTION 574 "The number of RADIUS Access-Accept packets 575 (valid or invalid) received from this server." 576 ::= { radiusAuthServerExtEntry 8 } 578 radiusAuthClientExtAccessRejects OBJECT-TYPE 579 SYNTAX Counter32 580 MAX-ACCESS read-only 581 STATUS current 582 DESCRIPTION 583 "The number of RADIUS Access-Reject packets 584 (valid or invalid) received from this server." 586 ::= { radiusAuthServerExtEntry 9 } 588 radiusAuthClientExtAccessChallenges OBJECT-TYPE 589 SYNTAX Counter32 590 MAX-ACCESS read-only 591 STATUS current 592 DESCRIPTION 593 "The number of RADIUS Access-Challenge packets 594 (valid or invalid) received from this server." 595 ::= { radiusAuthServerExtEntry 10 } 597 -- "Access-Response" includes an Access-Accept, Access-Challenge 598 -- or Access-Reject 600 radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE 601 SYNTAX Counter32 602 MAX-ACCESS read-only 603 STATUS current 604 DESCRIPTION 605 "The number of malformed RADIUS Access-Response 606 packets received from this server. 607 Malformed packets include packets with 608 an invalid length. Bad authenticators or 609 Message Authenticator attributes or unknown types 610 are not included as malformed access responses." 611 ::= { radiusAuthServerExtEntry 11 } 613 radiusAuthClientExtBadAuthenticators OBJECT-TYPE 614 SYNTAX Counter32 615 MAX-ACCESS read-only 616 STATUS current 617 DESCRIPTION 618 "The number of RADIUS Access-Response packets 619 containing invalid authenticators or Message 620 Authenticator attributes received from this server." 621 ::= { radiusAuthServerExtEntry 12 } 623 radiusAuthClientExtPendingRequests OBJECT-TYPE 624 SYNTAX Gauge32 625 MAX-ACCESS read-only 626 STATUS current 627 DESCRIPTION 628 "The number of RADIUS Access-Request packets 629 destined for this server that have not yet timed out 630 or received a response. This variable is incremented 631 when an Access-Request is sent and decremented due to 632 receipt of an Acess-Accept, Access-Reject or 633 Access-Challenge, a timeout or retransmission." 635 ::= { radiusAuthServerExtEntry 13 } 637 radiusAuthClientExtTimeouts OBJECT-TYPE 638 SYNTAX Counter32 639 MAX-ACCESS read-only 640 STATUS current 641 DESCRIPTION 642 "The number of authentication timeouts to this server. 643 After a timeout the client may retry to the same 644 server, send to a different server, or 645 give up. A retry to the same server is counted as a 646 retransmit as well as a timeout. A send to a different 647 server is counted as a Request as well as a timeout." 648 ::= { radiusAuthServerExtEntry 14 } 650 radiusAuthClientExtUnknownTypes OBJECT-TYPE 651 SYNTAX Counter32 652 MAX-ACCESS read-only 653 STATUS current 654 DESCRIPTION 655 "The number of RADIUS packets of unknown type which 656 were received from this server on the authentication 657 port." 658 ::= { radiusAuthServerExtEntry 15 } 660 radiusAuthClientExtPacketsDropped OBJECT-TYPE 661 SYNTAX Counter32 662 MAX-ACCESS read-only 663 STATUS current 664 DESCRIPTION 665 "The number of RADIUS packets of which were 666 received from this server on the authentication port 667 and dropped for some other reason." 668 ::= { radiusAuthServerExtEntry 16 } 670 -- conformance information 672 radiusAuthClientMIBConformance OBJECT IDENTIFIER 673 ::= { radiusAuthClientMIB 2 } 675 radiusAuthClientMIBCompliances OBJECT IDENTIFIER 676 ::= { radiusAuthClientMIBConformance 1 } 678 radiusAuthClientMIBGroups OBJECT IDENTIFIER 679 ::= { radiusAuthClientMIBConformance 2 } 681 radiusAuthClientExtMIBCompliances OBJECT IDENTIFIER 682 ::= { radiusAuthClientExtMIBConformance 1 } 684 radiusAuthClientExtMIBGroups OBJECT IDENTIFIER 685 ::= { radiusAuthClientExtMIBConformance 2 } 687 -- compliance statements 689 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 690 STATUS deprecated 691 DESCRIPTION 692 "The compliance statement for authentication clients 693 implementing the RADIUS Authentication Client MIB." 694 MODULE -- this module 695 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 697 ::= { radiusAuthClientMIBCompliances 1 } 699 radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE 700 STATUS current 701 DESCRIPTION 702 "The compliance statement for authentication 703 clients implementing the RADIUS Authentication 704 Client IPv6 Extensions MIB." 705 MODULE -- this module 706 MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } 708 ::= { radiusAuthClientExtMIBCompliances 1 } 710 -- units of conformance 712 radiusAuthClientMIBGroup OBJECT-GROUP 713 OBJECTS { radiusAuthClientIdentifier, 714 radiusAuthClientInvalidServerAddresses, 715 radiusAuthServerAddress, 716 radiusAuthClientServerPortNumber, 717 radiusAuthClientRoundTripTime, 718 radiusAuthClientAccessRequests, 719 radiusAuthClientAccessRetransmissions, 720 radiusAuthClientAccessAccepts, 721 radiusAuthClientAccessRejects, 722 radiusAuthClientAccessChallenges, 723 radiusAuthClientMalformedAccessResponses, 724 radiusAuthClientBadAuthenticators, 725 radiusAuthClientPendingRequests, 726 radiusAuthClientTimeouts, 727 radiusAuthClientUnknownTypes, 728 radiusAuthClientPacketsDropped 729 } 730 STATUS deprecated 731 DESCRIPTION 732 "The basic collection of objects providing management of 733 RADIUS Authentication Clients." 734 ::= { radiusAuthClientMIBGroups 1 } 736 radiusAuthClientExtMIBGroup OBJECT-GROUP 737 OBJECTS { radiusAuthClientIdentifier, 738 radiusAuthClientInvalidServerAddresses, 739 radiusAuthServerInetAddressType, 740 radiusAuthServerInetAddress, 741 radiusAuthClientServerInetPortNumber, 742 radiusAuthClientExtRoundTripTime, 743 radiusAuthClientExtAccessRequests, 744 radiusAuthClientExtAccessRetransmissions, 745 radiusAuthClientExtAccessAccepts, 746 radiusAuthClientExtAccessRejects, 747 radiusAuthClientExtAccessChallenges, 748 radiusAuthClientExtMalformedAccessResponses, 749 radiusAuthClientExtBadAuthenticators, 750 radiusAuthClientExtPendingRequests, 751 radiusAuthClientExtTimeouts, 752 radiusAuthClientExtUnknownTypes, 753 radiusAuthClientExtPacketsDropped 754 } 755 STATUS current 756 DESCRIPTION 757 "The collection of extended objects providing 758 management of RADIUS Authentication Clients 759 using version neutral IP address format." 760 ::= { radiusAuthClientExtMIBGroups 1 } 762 END 764 8. IANA Considerations 766 This document requires IANA assignment of a number in the MIB-2 OID 767 number space. 769 9. Security Considerations 771 There are no management objects defined in this MIB that have a MAX- 772 ACCESS clause of read-write and/or read-create. So, if this MIB is 773 implemented correctly, then there is no risk that an intruder can 774 alter or create any management objects of this MIB via direct SNMP 775 SET operations. 777 There are a number of managed objects in this MIB that may contain 778 sensitive information. These are: 780 radiusAuthServerIPAddress This can be used to determine the address 781 of the RADIUS authentication server with which the client is 782 communicating. This information could be useful in mounting an 783 attack on the authentication server. 785 radiusAuthServerInetAddress This can be used to determine the address 786 of the RADIUS authentication server with which the client is 787 communicating. This information could be useful in mounting an 788 attack on the authentication server. 790 radiusAuthClientServerInetPortNumber This can be used to determine 791 the port number on which the RADIUS authentication client is 792 sending. This information could be useful in impersonating the 793 client in order to send data to the authentication server. 795 It is thus important to control even GET access to these objects and 796 possibly to even encrypt the values of these object when sending them 797 over the network via SNMP. Not all versions of SNMP provide features 798 for such a secure environment. 800 SNMP versions prior to SNMPv3 do not provide a secure environment. 801 Even if the network itself is secure (for example by using IPSec), 802 there is no control as to who on the secure network is allowed to 803 access and GET/SET (read/change/create/delete) the objects in this 804 MIB. 806 It is recommended that the implementers consider the security 807 features as provided by the SNMPv3 framework. Specifically, the use 808 of the User-based Security Model [RFC2574] and the View-based Access 809 Control Model [RFC2575] is recommended. Using these security 810 features, customer/users can give access to the objects only to those 811 principals (users) that have legitimate rights to GET or SET (change/ 812 create/delete) them. 814 10. References 816 10.1. Normative References 818 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 819 Requirement Levels", BCP 14, RFC 2119, March 1997. 821 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 822 (USM) for version 3 of the Simple Network Management 823 Protocol (SNMPv3)", RFC 2574, April 1999. 825 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 826 Access Control Model (VACM) for the Simple Network 827 Management Protocol (SNMP)", RFC 2575, April 1999. 829 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 830 Schoenwaelder, Ed., "Structure of Management Information 831 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 833 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 834 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 835 STD 58, RFC 2579, April 1999. 837 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 838 "Conformance Statements for SMIv2", STD 58, RFC 2580, 839 April 1999. 841 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 842 "Introduction and Applicability Statements for Internet- 843 Standard Management Framework", RFC 3410, December 2002. 845 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 846 Simple Network Management Protocol (SNMP)", STD 62, 847 RFC 3418, December 2002. 849 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 850 Schoenwaelder, "Textual Conventions for Internet Network 851 Addresses", RFC 4001, February 2005. 853 10.2. Informative References 855 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 856 RFC 2618, June 1999. 858 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 859 "Remote Authentication Dial In User Service (RADIUS)", 860 RFC 2865, June 2000. 862 Appendix A. Acknowledgments 864 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 866 Many thanks to all reviewers, especially to Dave Harrington, Dan 867 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 869 Author's Address 871 David B. Nelson 872 Enterasys Networks 873 50 Minuteman Road 874 Andover, MA 01810 875 USA 877 Email: dnelson@enterasys.com 879 Intellectual Property Statement 881 The IETF takes no position regarding the validity or scope of any 882 Intellectual Property Rights or other rights that might be claimed to 883 pertain to the implementation or use of the technology described in 884 this document or the extent to which any license under such rights 885 might or might not be available; nor does it represent that it has 886 made any independent effort to identify any such rights. Information 887 on the procedures with respect to rights in RFC documents can be 888 found in BCP 78 and BCP 79. 890 Copies of IPR disclosures made to the IETF Secretariat and any 891 assurances of licenses to be made available, or the result of an 892 attempt made to obtain a general license or permission for the use of 893 such proprietary rights by implementers or users of this 894 specification can be obtained from the IETF on-line IPR repository at 895 http://www.ietf.org/ipr. 897 The IETF invites any interested party to bring to its attention any 898 copyrights, patents or patent applications, or other proprietary 899 rights that may cover technology that may be required to implement 900 this standard. Please address the information to the IETF at 901 ietf-ipr@ietf.org. 903 Disclaimer of Validity 905 This document and the information contained herein are provided on an 906 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 907 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 908 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 909 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 910 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 911 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 913 Copyright Statement 915 Copyright (C) The Internet Society (2005). This document is subject 916 to the rights, licenses and restrictions contained in BCP 78, and 917 except as set forth therein, the authors retain all their rights. 919 Acknowledgment 921 Funding for the RFC Editor function is currently provided by the 922 Internet Society.