idnits 2.17.1 draft-ietf-radext-rfc2618bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 905. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 882. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 889. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 895. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 18, 2005) is 6764 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 112, but not defined == Unused Reference: 'RFC3418' is defined on line 839, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2618 (if approved) October 18, 2005 5 Expires: April 21, 2006 7 RADIUS Auth Client MIB (IPv6) 8 draft-ietf-radext-rfc2618bis-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on April 21, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo obsoletes RFC 2618 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. The remaining MIB objects from 44 RFC 2618 are carried forward into this document. 46 Table of Contents 48 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 3. The Internet-Standard Management Framework . . . . . . . . . . 3 51 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 52 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 53 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 54 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 56 9. Security Considerations . . . . . . . . . . . . . . . . . . . 17 57 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 58 10.1. Normative References . . . . . . . . . . . . . . . . . . 18 59 10.2. Informative References . . . . . . . . . . . . . . . . . 19 60 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 19 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20 62 Intellectual Property and Copyright Statements . . . . . . . . . . 21 64 1. Terminology 66 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 67 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 68 document are to be interpreted as described in RFC 2119 [RFC2119]. 70 This document uses terminology from RFC 2865 [RFC2865]. 72 2. Introduction 74 This memo defines a portion of the Management Information Base (MIB) 75 for use with network management protocols in the Internet community. 76 The objects defined within this memo relate to the Remote 77 Authentication Dial-In User Service (RADIUS) Authentication Client as 78 defined in RFC 2865 [RFC2865]. 80 3. The Internet-Standard Management Framework 82 For a detailed overview of the documents that describe the current 83 Internet-Standard Management Framework, please refer to section 7 of 84 RFC 3410 [RFC3410]. 86 Managed objects are accessed via a virtual information store, termed 87 the Management Information Base or MIB. MIB objects are generally 88 accessed through the Simple Network Management Protocol (SNMP). 89 Objects in the MIB are defined using the mechanisms defined in the 90 Structure of Management Information (SMI). This memo specifies a MIB 91 module that is compliant to the SMIv2, which is described in STD 58, 92 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 93 [RFC2580]. 95 4. Scope of Changes 97 This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication 98 Client MIB, by deprecating the radiusAuthServerTable table and adding 99 a new table, radiusAuthServerExtTable, containing 100 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 101 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 102 objects is to support version neutral IP addressing formats. The 103 existing table containing radiusAuthServerAddress and 104 radiusAuthClientServerPortNumber is deprecated. The remaining MIB 105 objects are carried forward from RFC 2618 into this document. 107 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 108 IPv6 addresses, contains the following recommendation. 110 'In particular, when revising a MIB module that contains IPv4 111 specific tables, it is suggested to define new tables using the 112 textual conventions defined in this memo [RFC 4001] that support all 113 versions of IP. The status of the new tables SHOULD be "current", 114 whereas the status of the old IP version specific tables SHOULD be 115 changed to "deprecated". The other approach, of having multiple 116 similar tables for different IP versions, is strongly discouraged.' 118 5. Structure of the MIB Module 120 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 121 distinguishes between the client function and the server function. 122 In RADIUS authentication, clients send Access-Requests, and servers 123 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 124 Typically NAS devices implement the client function, and thus would 125 be expected to implement the RADIUS authentication client MIB, while 126 RADIUS authentication servers implement the server function, and thus 127 would be expected to implement the RADIUS authentication server MIB. 129 However, it is possible for a RADIUS authentication entity to perform 130 both client and server functions. For example, a RADIUS proxy may 131 act as a server to one or more RADIUS authentication clients, while 132 simultaneously acting as an authentication client to one or more 133 authentication servers. In such situations, it is expected that 134 RADIUS entities combining client and server functionality will 135 support both the client and server MIBs. 137 This MIB module contains two scalars as well as a single table, the 138 RADIUS Authentication Server Table, which contains one row for each 139 RADIUS authentication server with which the client shares a secret. 140 Each entry in the RADIUS Authentication Server Table includes sixteen 141 columns presenting a view of the activity of the RADIUS 142 authentication client. 144 6. Deprecated Objects 146 The deprecated table in this MIB is carried forward from RFC 2618 147 [RFC2618]. There are two conditions under which it MAY be desirable 148 for managed entities to continue to support the deprecated table: 150 1. The managed entity only supports IPv4 address formats. 151 2. The managed entity supports both IPv4 and IPv6 address formats, 152 and the deprecated table is supported for backwards compatibility 153 with older management stations. This option SHOULD only be used 154 when the IP addresses in the new table are in IPv4 format and can 155 accurately be represented in both the new table and the 156 deprecated table. 158 Managed entities SHOULD NOT instantiate the deprecated table 159 containing IPv4-only address objects when the RADIUS server address 160 represented in the table row is not an IPv4 address. Managed 161 entities SHOULD NOT return inaccurate values of IP address or SNMP 162 object access errors for IPv4-only address objects in otherwise 163 populated tables. 165 7. Definitions 167 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 169 IMPORTS 170 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 171 Counter32, Integer32, Gauge32, 172 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 173 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 174 InetAddressType, InetAddress, 175 InetPortNumber FROM INET-ADDRESS-MIB 176 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 178 radiusAuthClientMIB MODULE-IDENTITY 179 LAST-UPDATED "200510170000Z" -- 17 Oct 2005 180 ORGANIZATION "IETF RADIUS Extensions Working Group." 181 CONTACT-INFO 182 " Bernard Aboba 183 Microsoft 184 One Microsoft Way 185 Redmond, WA 98052 186 US 187 Phone: +1 425 936 6605 188 EMail: bernarda@microsoft.com" 189 DESCRIPTION 190 "The MIB module for entities implementing the client 191 side of the Remote Authentication Dial-In User Service 192 (RADIUS) authentication protocol." 193 REVISION "200510170000Z" -- 17 Oct 2005 194 DESCRIPTION "Revised version as published in RFC xxxx. This 195 version obsoletes that of RFC 2618 by deprecating the MIB 196 table containing IPv4-only address formats and defining a 197 new table to add support for version neutral IP address 198 formats. The remaining MIB objects from RFC 2618 are carried 199 forward into this version." 200 REVISION "9906110000Z" -- 11 Jun 1999 201 DESCRIPTION "Initial version as published in RFC 2618" 203 -- RFC Editor: replace xxxx with actual RFC number at the time of 204 -- publication, and remove this note. 206 ::= { radiusAuthentication 2 } 208 radiusMIB OBJECT-IDENTITY 209 STATUS current 210 DESCRIPTION 211 "The OID assigned to RADIUS MIB work by the IANA." 212 ::= { mib-2 67 } 214 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 216 radiusAuthClientMIBObjects OBJECT IDENTIFIER 217 ::= { radiusAuthClientMIB 1 } 219 radiusAuthClient OBJECT IDENTIFIER 220 ::= { radiusAuthClientMIBObjects 1 } 222 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 223 SYNTAX Counter32 224 MAX-ACCESS read-only 225 STATUS current 226 DESCRIPTION 227 "The number of RADIUS Access-Response packets 228 received from unknown addresses." 229 ::= { radiusAuthClient 1 } 231 radiusAuthClientIdentifier OBJECT-TYPE 232 SYNTAX SnmpAdminString 233 MAX-ACCESS read-only 234 STATUS current 235 DESCRIPTION 236 "The NAS-Identifier of the RADIUS authentication client. 237 This is not necessarily the same as sysName in MIB II." 238 ::= { radiusAuthClient 2 } 240 radiusAuthServerTable OBJECT-TYPE 241 SYNTAX SEQUENCE OF RadiusAuthServerEntry 242 MAX-ACCESS not-accessible 243 STATUS deprecated 244 DESCRIPTION 245 "The (conceptual) table listing the RADIUS authentication 246 servers with which the client shares a secret." 247 ::= { radiusAuthClient 3 } 249 radiusAuthServerEntry OBJECT-TYPE 250 SYNTAX RadiusAuthServerEntry 251 MAX-ACCESS not-accessible 252 STATUS deprecated 253 DESCRIPTION 254 "An entry (conceptual row) representing a RADIUS 255 authentication server with which the client shares 256 a secret." 257 INDEX { radiusAuthServerIndex } 258 ::= { radiusAuthServerTable 1 } 260 RadiusAuthServerEntry ::= SEQUENCE { 261 radiusAuthServerIndex Integer32, 262 radiusAuthServerAddress IpAddress, 263 radiusAuthClientServerPortNumber Integer32, 264 radiusAuthClientRoundTripTime TimeTicks, 265 radiusAuthClientAccessRequests Counter32, 266 radiusAuthClientAccessRetransmissions Counter32, 267 radiusAuthClientAccessAccepts Counter32, 268 radiusAuthClientAccessRejects Counter32, 269 radiusAuthClientAccessChallenges Counter32, 270 radiusAuthClientMalformedAccessResponses Counter32, 271 radiusAuthClientBadAuthenticators Counter32, 272 radiusAuthClientPendingRequests Gauge32, 273 radiusAuthClientTimeouts Counter32, 274 radiusAuthClientUnknownTypes Counter32, 275 radiusAuthClientPacketsDropped Counter32 276 } 278 radiusAuthServerIndex OBJECT-TYPE 279 SYNTAX Integer32 (1..2147483647) 280 MAX-ACCESS not-accessible 281 STATUS deprecated 282 DESCRIPTION 283 "A number uniquely identifying each RADIUS 284 Authentication server with which this client 285 communicates." 286 ::= { radiusAuthServerEntry 1 } 288 radiusAuthServerAddress OBJECT-TYPE 289 SYNTAX IpAddress 290 MAX-ACCESS read-only 291 STATUS deprecated 292 DESCRIPTION 293 "The IP address of the RADIUS authentication server 294 referred to in this table entry." 295 ::= { radiusAuthServerEntry 2 } 297 radiusAuthClientServerPortNumber OBJECT-TYPE 298 SYNTAX Integer32 (0..65535) 299 MAX-ACCESS read-only 300 STATUS deprecated 301 DESCRIPTION 302 "The UDP port the client is using to send requests to 303 this server." 304 ::= { radiusAuthServerEntry 3 } 306 radiusAuthClientRoundTripTime OBJECT-TYPE 307 SYNTAX TimeTicks 308 MAX-ACCESS read-only 309 STATUS deprecated 310 DESCRIPTION 311 "The time interval (in hundredths of a second) between 312 the most recent Access-Reply/Access-Challenge and the 313 Access-Request that matched it from this RADIUS 314 authentication server." 315 ::= { radiusAuthServerEntry 4 } 317 -- Request/Response statistics 318 -- 319 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 320 -- UnknownTypes 321 -- 322 -- TotalIncomingPackets - MalformedResponses - 323 -- BadAuthenticators - UnknownTypes - PacketsDropped = 324 -- Successfully received 325 -- 326 -- AccessRequests + PendingRequests + ClientTimeouts = 327 -- Successfully received 328 -- 329 -- 331 radiusAuthClientAccessRequests OBJECT-TYPE 332 SYNTAX Counter32 333 MAX-ACCESS read-only 334 STATUS deprecated 335 DESCRIPTION 336 "The number of RADIUS Access-Request packets sent 337 to this server. This does not include retransmissions." 338 ::= { radiusAuthServerEntry 5 } 340 radiusAuthClientAccessRetransmissions OBJECT-TYPE 341 SYNTAX Counter32 342 MAX-ACCESS read-only 343 STATUS deprecated 344 DESCRIPTION 345 "The number of RADIUS Access-Request packets 346 retransmitted to this RADIUS authentication server." 348 ::= { radiusAuthServerEntry 6 } 350 radiusAuthClientAccessAccepts OBJECT-TYPE 351 SYNTAX Counter32 352 MAX-ACCESS read-only 353 STATUS deprecated 354 DESCRIPTION 355 "The number of RADIUS Access-Accept packets 356 (valid or invalid) received from this server." 357 ::= { radiusAuthServerEntry 7 } 359 radiusAuthClientAccessRejects OBJECT-TYPE 360 SYNTAX Counter32 361 MAX-ACCESS read-only 362 STATUS deprecated 363 DESCRIPTION 364 "The number of RADIUS Access-Reject packets 365 (valid or invalid) received from this server." 366 ::= { radiusAuthServerEntry 8 } 368 radiusAuthClientAccessChallenges OBJECT-TYPE 369 SYNTAX Counter32 370 MAX-ACCESS read-only 371 STATUS deprecated 372 DESCRIPTION 373 "The number of RADIUS Access-Challenge packets 374 (valid or invalid) received from this server." 375 ::= { radiusAuthServerEntry 9 } 377 -- "Access-Response" includes an Access-Accept, Access-Challenge 378 -- or Access-Reject 380 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 381 SYNTAX Counter32 382 MAX-ACCESS read-only 383 STATUS deprecated 384 DESCRIPTION 385 "The number of malformed RADIUS Access-Response 386 packets received from this server. 387 Malformed packets include packets with 388 an invalid length. Bad authenticators or 389 Message Authenticator attributes or unknown types 390 are not included as malformed access responses." 391 ::= { radiusAuthServerEntry 10 } 393 radiusAuthClientBadAuthenticators OBJECT-TYPE 394 SYNTAX Counter32 395 MAX-ACCESS read-only 396 STATUS deprecated 397 DESCRIPTION 398 "The number of RADIUS Access-Response packets 399 containing invalid authenticators or Message 400 Authenticator attributes received from this server." 401 ::= { radiusAuthServerEntry 11 } 403 radiusAuthClientPendingRequests OBJECT-TYPE 404 SYNTAX Gauge32 405 MAX-ACCESS read-only 406 STATUS deprecated 407 DESCRIPTION 408 "The number of RADIUS Access-Request packets 409 destined for this server that have not yet timed out 410 or received a response. This variable is incremented 411 when an Access-Request is sent and decremented due to 412 receipt of an Acess-Accept, Access-Reject or 413 Access-Challenge, a timeout or retransmission." 414 ::= { radiusAuthServerEntry 12 } 416 radiusAuthClientTimeouts OBJECT-TYPE 417 SYNTAX Counter32 418 MAX-ACCESS read-only 419 STATUS deprecated 420 DESCRIPTION 421 "The number of authentication timeouts to this server. 422 After a timeout the client may retry to the same 423 server, send to a different server, or 424 give up. A retry to the same server is counted as a 425 retransmit as well as a timeout. A send to a different 426 server is counted as a Request as well as a timeout." 427 ::= { radiusAuthServerEntry 13 } 429 radiusAuthClientUnknownTypes OBJECT-TYPE 430 SYNTAX Counter32 431 MAX-ACCESS read-only 432 STATUS deprecated 433 DESCRIPTION 434 "The number of RADIUS packets of unknown type which 435 were received from this server on the authentication 436 port." 437 ::= { radiusAuthServerEntry 14 } 439 radiusAuthClientPacketsDropped OBJECT-TYPE 440 SYNTAX Counter32 441 MAX-ACCESS read-only 442 STATUS deprecated 443 DESCRIPTION 444 "The number of RADIUS packets of which were 445 received from this server on the authentication port 446 and dropped for some other reason." 447 ::= { radiusAuthServerEntry 15 } 449 -- New MIB Objects in this revision 451 radiusAuthServerExtTable OBJECT-TYPE 452 SYNTAX SEQUENCE OF RadiusAuthServerExtEntry 453 MAX-ACCESS not-accessible 454 STATUS current 455 DESCRIPTION 456 "The (conceptual) table listing the RADIUS authentication 457 servers with which the client shares a secret." 458 ::= { radiusAuthClient 4 } 460 radiusAuthServerExtEntry OBJECT-TYPE 461 SYNTAX RadiusAuthServerExtEntry 462 MAX-ACCESS not-accessible 463 STATUS current 464 DESCRIPTION 465 "An entry (conceptual row) representing a RADIUS 466 authentication server with which the client shares 467 a secret." 468 INDEX { radiusAuthServerExtIndex } 469 ::= { radiusAuthServerExtTable 1 } 471 RadiusAuthServerExtEntry ::= SEQUENCE { 472 radiusAuthServerExtIndex Integer32, 473 radiusAuthServerInetAddressType InetAddressType, 474 radiusAuthServerInetAddress InetAddress, 475 radiusAuthClientServerInetPortNumber InetPortNumber, 476 radiusAuthClientExtRoundTripTime TimeTicks, 477 radiusAuthClientExtAccessRequests Counter32, 478 radiusAuthClientExtAccessRetransmissions Counter32, 479 radiusAuthClientExtAccessAccepts Counter32, 480 radiusAuthClientExtAccessRejects Counter32, 481 radiusAuthClientExtAccessChallenges Counter32, 482 radiusAuthClientExtMalformedAccessResponses Counter32, 483 radiusAuthClientExtBadAuthenticators Counter32, 484 radiusAuthClientExtPendingRequests Gauge32, 485 radiusAuthClientExtTimeouts Counter32, 486 radiusAuthClientExtUnknownTypes Counter32, 487 radiusAuthClientExtPacketsDropped Counter32 488 } 490 radiusAuthServerExtIndex OBJECT-TYPE 491 SYNTAX Integer32 (1..2147483647) 492 MAX-ACCESS not-accessible 493 STATUS current 494 DESCRIPTION 495 "A number uniquely identifying each RADIUS 496 Authentication server with which this client 497 communicates." 498 ::= { radiusAuthServerExtEntry 1 } 500 radiusAuthServerInetAddressType OBJECT-TYPE 501 SYNTAX InetAddressType 502 MAX-ACCESS read-only 503 STATUS current 504 DESCRIPTION 505 "The type of address format used for the 506 radiusAuthServerInetAddress object." 507 ::= { radiusAuthServerExtEntry 2 } 509 radiusAuthServerInetAddress OBJECT-TYPE 510 SYNTAX InetAddress 511 MAX-ACCESS read-only 512 STATUS current 513 DESCRIPTION 514 "The IP address of the RADIUS authentication 515 server referred to in this table entry, using 516 the version neutral IP adddess format." 517 ::= { radiusAuthServerExtEntry 3 } 519 radiusAuthClientServerInetPortNumber OBJECT-TYPE 520 SYNTAX InetPortNumber 521 MAX-ACCESS read-only 522 STATUS current 523 DESCRIPTION 524 "The UDP port the client is using to send requests 525 to this server." 526 ::= { radiusAuthServerExtEntry 4 } 528 radiusAuthClientExtRoundTripTime OBJECT-TYPE 529 SYNTAX TimeTicks 530 MAX-ACCESS read-only 531 STATUS current 532 DESCRIPTION 533 "The time interval (in hundredths of a second) between 534 the most recent Access-Reply/Access-Challenge and the 535 Access-Request that matched it from this RADIUS 536 authentication server." 537 ::= { radiusAuthServerExtEntry 5 } 539 -- Request/Response statistics 540 -- 541 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 542 -- UnknownTypes 543 -- 544 -- TotalIncomingPackets - MalformedResponses - 545 -- BadAuthenticators - UnknownTypes - PacketsDropped = 546 -- Successfully received 547 -- 548 -- AccessRequests + PendingRequests + ClientTimeouts = 549 -- Successfully received 550 -- 551 -- 553 radiusAuthClientExtAccessRequests OBJECT-TYPE 554 SYNTAX Counter32 555 MAX-ACCESS read-only 556 STATUS current 557 DESCRIPTION 558 "The number of RADIUS Access-Request packets sent 559 to this server. This does not include retransmissions." 560 ::= { radiusAuthServerExtEntry 6 } 562 radiusAuthClientExtAccessRetransmissions OBJECT-TYPE 563 SYNTAX Counter32 564 MAX-ACCESS read-only 565 STATUS current 566 DESCRIPTION 567 "The number of RADIUS Access-Request packets 568 retransmitted to this RADIUS authentication server." 569 ::= { radiusAuthServerExtEntry 7 } 571 radiusAuthClientExtAccessAccepts OBJECT-TYPE 572 SYNTAX Counter32 573 MAX-ACCESS read-only 574 STATUS current 575 DESCRIPTION 576 "The number of RADIUS Access-Accept packets 577 (valid or invalid) received from this server." 578 ::= { radiusAuthServerExtEntry 8 } 580 radiusAuthClientExtAccessRejects OBJECT-TYPE 581 SYNTAX Counter32 582 MAX-ACCESS read-only 583 STATUS current 584 DESCRIPTION 585 "The number of RADIUS Access-Reject packets 586 (valid or invalid) received from this server." 588 ::= { radiusAuthServerExtEntry 9 } 590 radiusAuthClientExtAccessChallenges OBJECT-TYPE 591 SYNTAX Counter32 592 MAX-ACCESS read-only 593 STATUS current 594 DESCRIPTION 595 "The number of RADIUS Access-Challenge packets 596 (valid or invalid) received from this server." 597 ::= { radiusAuthServerExtEntry 10 } 599 -- "Access-Response" includes an Access-Accept, Access-Challenge 600 -- or Access-Reject 602 radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE 603 SYNTAX Counter32 604 MAX-ACCESS read-only 605 STATUS current 606 DESCRIPTION 607 "The number of malformed RADIUS Access-Response 608 packets received from this server. 609 Malformed packets include packets with 610 an invalid length. Bad authenticators or 611 Message Authenticator attributes or unknown types 612 are not included as malformed access responses." 613 ::= { radiusAuthServerExtEntry 11 } 615 radiusAuthClientExtBadAuthenticators OBJECT-TYPE 616 SYNTAX Counter32 617 MAX-ACCESS read-only 618 STATUS current 619 DESCRIPTION 620 "The number of RADIUS Access-Response packets 621 containing invalid authenticators or Message 622 Authenticator attributes received from this server." 623 ::= { radiusAuthServerExtEntry 12 } 625 radiusAuthClientExtPendingRequests OBJECT-TYPE 626 SYNTAX Gauge32 627 MAX-ACCESS read-only 628 STATUS current 629 DESCRIPTION 630 "The number of RADIUS Access-Request packets 631 destined for this server that have not yet timed out 632 or received a response. This variable is incremented 633 when an Access-Request is sent and decremented due to 634 receipt of an Acess-Accept, Access-Reject or 635 Access-Challenge, a timeout or retransmission." 637 ::= { radiusAuthServerExtEntry 13 } 639 radiusAuthClientExtTimeouts OBJECT-TYPE 640 SYNTAX Counter32 641 MAX-ACCESS read-only 642 STATUS current 643 DESCRIPTION 644 "The number of authentication timeouts to this server. 645 After a timeout the client may retry to the same 646 server, send to a different server, or 647 give up. A retry to the same server is counted as a 648 retransmit as well as a timeout. A send to a different 649 server is counted as a Request as well as a timeout." 650 ::= { radiusAuthServerExtEntry 14 } 652 radiusAuthClientExtUnknownTypes OBJECT-TYPE 653 SYNTAX Counter32 654 MAX-ACCESS read-only 655 STATUS current 656 DESCRIPTION 657 "The number of RADIUS packets of unknown type which 658 were received from this server on the authentication 659 port." 660 ::= { radiusAuthServerExtEntry 15 } 662 radiusAuthClientExtPacketsDropped OBJECT-TYPE 663 SYNTAX Counter32 664 MAX-ACCESS read-only 665 STATUS current 666 DESCRIPTION 667 "The number of RADIUS packets of which were 668 received from this server on the authentication port 669 and dropped for some other reason." 670 ::= { radiusAuthServerExtEntry 16 } 672 -- conformance information 674 radiusAuthClientMIBConformance OBJECT IDENTIFIER 675 ::= { radiusAuthClientMIB 2 } 677 radiusAuthClientMIBCompliances OBJECT IDENTIFIER 678 ::= { radiusAuthClientMIBConformance 1 } 680 radiusAuthClientMIBGroups OBJECT IDENTIFIER 681 ::= { radiusAuthClientMIBConformance 2 } 683 -- compliance statements 684 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 685 STATUS deprecated 686 DESCRIPTION 687 "The compliance statement for authentication clients 688 implementing the RADIUS Authentication Client MIB." 689 MODULE -- this module 690 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 692 ::= { radiusAuthClientMIBCompliances 1 } 694 radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE 695 STATUS current 696 DESCRIPTION 697 "The compliance statement for authentication 698 clients implementing the RADIUS Authentication 699 Client IPv6 Extensions MIB." 700 MODULE -- this module 701 MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } 703 ::= { radiusAuthClientMIBCompliances 2 } 705 -- units of conformance 707 radiusAuthClientMIBGroup OBJECT-GROUP 708 OBJECTS { radiusAuthClientIdentifier, 709 radiusAuthClientInvalidServerAddresses, 710 radiusAuthServerAddress, 711 radiusAuthClientServerPortNumber, 712 radiusAuthClientRoundTripTime, 713 radiusAuthClientAccessRequests, 714 radiusAuthClientAccessRetransmissions, 715 radiusAuthClientAccessAccepts, 716 radiusAuthClientAccessRejects, 717 radiusAuthClientAccessChallenges, 718 radiusAuthClientMalformedAccessResponses, 719 radiusAuthClientBadAuthenticators, 720 radiusAuthClientPendingRequests, 721 radiusAuthClientTimeouts, 722 radiusAuthClientUnknownTypes, 723 radiusAuthClientPacketsDropped 724 } 725 STATUS deprecated 726 DESCRIPTION 727 "The basic collection of objects providing management of 728 RADIUS Authentication Clients." 729 ::= { radiusAuthClientMIBGroups 1 } 731 radiusAuthClientExtMIBGroup OBJECT-GROUP 732 OBJECTS { radiusAuthClientIdentifier, 733 radiusAuthClientInvalidServerAddresses, 734 radiusAuthServerInetAddressType, 735 radiusAuthServerInetAddress, 736 radiusAuthClientServerInetPortNumber, 737 radiusAuthClientExtRoundTripTime, 738 radiusAuthClientExtAccessRequests, 739 radiusAuthClientExtAccessRetransmissions, 740 radiusAuthClientExtAccessAccepts, 741 radiusAuthClientExtAccessRejects, 742 radiusAuthClientExtAccessChallenges, 743 radiusAuthClientExtMalformedAccessResponses, 744 radiusAuthClientExtBadAuthenticators, 745 radiusAuthClientExtPendingRequests, 746 radiusAuthClientExtTimeouts, 747 radiusAuthClientExtUnknownTypes, 748 radiusAuthClientExtPacketsDropped 749 } 750 STATUS current 751 DESCRIPTION 752 "The collection of extended objects providing 753 management of RADIUS Authentication Clients 754 using version neutral IP address format." 755 ::= { radiusAuthClientMIBGroups 2 } 757 END 759 8. IANA Considerations 761 This document requires no new IANA assignments. 763 9. Security Considerations 765 There are no management objects defined in this MIB that have a MAX- 766 ACCESS clause of read-write and/or read-create. So, if this MIB is 767 implemented correctly, then there is no risk that an intruder can 768 alter or create any management objects of this MIB via direct SNMP 769 SET operations. 771 There are a number of managed objects in this MIB that may contain 772 sensitive information. These are: 774 radiusAuthServerIPAddress This can be used to determine the address 775 of the RADIUS authentication server with which the client is 776 communicating. This information could be useful in mounting an 777 attack on the authentication server. 779 radiusAuthServerInetAddress This can be used to determine the address 780 of the RADIUS authentication server with which the client is 781 communicating. This information could be useful in mounting an 782 attack on the authentication server. 784 radiusAuthClientServerInetPortNumber This can be used to determine 785 the port number on which the RADIUS authentication client is 786 sending. This information could be useful in impersonating the 787 client in order to send data to the authentication server. 789 It is thus important to control even GET access to these objects and 790 possibly to even encrypt the values of these object when sending them 791 over the network via SNMP. Not all versions of SNMP provide features 792 for such a secure environment. 794 SNMP versions prior to SNMPv3 do not provide a secure environment. 795 Even if the network itself is secure (for example by using IPSec), 796 there is no control as to who on the secure network is allowed to 797 access and GET/SET (read/change/create/delete) the objects in this 798 MIB. 800 It is recommended that the implementers consider the security 801 features as provided by the SNMPv3 framework. Specifically, the use 802 of the User-based Security Model [RFC2574] and the View-based Access 803 Control Model [RFC2575] is recommended. Using these security 804 features, customer/users can give access to the objects only to those 805 principals (users) that have legitimate rights to GET or SET (change/ 806 create/delete) them. 808 10. References 810 10.1. Normative References 812 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 813 Requirement Levels", BCP 14, RFC 2119, March 1997. 815 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 816 (USM) for version 3 of the Simple Network Management 817 Protocol (SNMPv3)", RFC 2574, April 1999. 819 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 820 Access Control Model (VACM) for the Simple Network 821 Management Protocol (SNMP)", RFC 2575, April 1999. 823 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 824 Schoenwaelder, Ed., "Structure of Management Information 825 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 827 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 828 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 829 STD 58, RFC 2579, April 1999. 831 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 832 "Conformance Statements for SMIv2", STD 58, RFC 2580, 833 April 1999. 835 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 836 "Introduction and Applicability Statements for Internet- 837 Standard Management Framework", RFC 3410, December 2002. 839 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 840 Simple Network Management Protocol (SNMP)", STD 62, 841 RFC 3418, December 2002. 843 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 844 Schoenwaelder, "Textual Conventions for Internet Network 845 Addresses", RFC 4001, February 2005. 847 10.2. Informative References 849 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 850 RFC 2618, June 1999. 852 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 853 "Remote Authentication Dial In User Service (RADIUS)", 854 RFC 2865, June 2000. 856 Appendix A. Acknowledgments 858 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 860 Many thanks to all reviewers, especially to Dave Harrington, Dan 861 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 863 Author's Address 865 David B. Nelson 866 Enterasys Networks 867 50 Minuteman Road 868 Andover, MA 01810 869 USA 871 Email: dnelson@enterasys.com 873 Intellectual Property Statement 875 The IETF takes no position regarding the validity or scope of any 876 Intellectual Property Rights or other rights that might be claimed to 877 pertain to the implementation or use of the technology described in 878 this document or the extent to which any license under such rights 879 might or might not be available; nor does it represent that it has 880 made any independent effort to identify any such rights. Information 881 on the procedures with respect to rights in RFC documents can be 882 found in BCP 78 and BCP 79. 884 Copies of IPR disclosures made to the IETF Secretariat and any 885 assurances of licenses to be made available, or the result of an 886 attempt made to obtain a general license or permission for the use of 887 such proprietary rights by implementers or users of this 888 specification can be obtained from the IETF on-line IPR repository at 889 http://www.ietf.org/ipr. 891 The IETF invites any interested party to bring to its attention any 892 copyrights, patents or patent applications, or other proprietary 893 rights that may cover technology that may be required to implement 894 this standard. Please address the information to the IETF at 895 ietf-ipr@ietf.org. 897 Disclaimer of Validity 899 This document and the information contained herein are provided on an 900 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 901 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 902 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 903 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 904 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 905 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 907 Copyright Statement 909 Copyright (C) The Internet Society (2005). This document is subject 910 to the rights, licenses and restrictions contained in BCP 78, and 911 except as set forth therein, the authors retain all their rights. 913 Acknowledgment 915 Funding for the RFC Editor function is currently provided by the 916 Internet Society.