idnits 2.17.1 draft-ietf-radext-rfc2618bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 982. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 959. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 966. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 972. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 20, 2006) is 6665 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 130, but not defined == Unused Reference: 'RFC2574' is defined on line 889, but no explicit reference was found in the text == Unused Reference: 'RFC2575' is defined on line 893, but no explicit reference was found in the text == Unused Reference: 'RFC3411' is defined on line 920, but no explicit reference was found in the text == Unused Reference: 'RFC3418' is defined on line 925, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Obsolete normative reference: RFC 2618 (Obsoleted by RFC 4668) ** Downref: Normative reference to an Informational RFC: RFC 3410 Summary: 7 errors (**), 0 flaws (~~), 9 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2618 (if approved) January 20, 2006 5 Expires: July 24, 2006 7 RADIUS Auth Client MIB (IPv6) 8 draft-ietf-radext-rfc2618bis-02.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on July 24, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions which instrument RADIUS 42 authentication client functions. These extensions represent a 43 portion of the Management Information Base (MIB) for use with network 44 management protocols in the Internet community. Using these 45 extensions IP-based management stations can manage RADIUS 46 authentication clients. 48 This memo obsoletes RFC 2618 by deprecating the MIB table containing 49 IPv4-only address formats and defining a new table to add support for 50 version neutral IP address formats. The remaining MIB objects from 51 RFC 2618 are carried forward into this document. The memo also adds 52 UNITS and REFERENCE clauses to selected objects. 54 Table of Contents 56 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The Internet-Standard Management Framework . . . . . . . . . . 3 59 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 64 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 65 10. Normative References . . . . . . . . . . . . . . . . . . . . . 20 66 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 67 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 68 Intellectual Property and Copyright Statements . . . . . . . . . . 23 70 1. Terminology 72 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 73 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 74 document are to be interpreted as described in RFC 2119 [RFC2119]. 76 This document uses terminology from RFC 2865 [RFC2865]. 78 This document uses the word "malformed" with respect to RADIUS 79 packets, particularly in the context of counters of "malformed 80 packets". While RFC 2865 does not provide an explicit definition of 81 "malformed", malformed generally means that the implementation has 82 determined the packet does not match the format defined in RFC 2865. 83 Some implementations may determine that packets are malformed when 84 the Vendor Specific Attribute (VSA) format does not follow the RFC 85 2865 recommendations for VSAs. Those implementations are used in 86 deployments today, and thus set the de-facto definition of 87 "malformed". 89 2. Introduction 91 This memo defines a portion of the Management Information Base (MIB) 92 for use with network management protocols in the Internet community. 93 The objects defined within this memo relate to the Remote 94 Authentication Dial-In User Service (RADIUS) Authentication Client as 95 defined in RFC 2865 [RFC2865]. 97 3. The Internet-Standard Management Framework 99 For a detailed overview of the documents that describe the current 100 Internet-Standard Management Framework, please refer to section 7 of 101 RFC 3410 [RFC3410]. 103 Managed objects are accessed via a virtual information store, termed 104 the Management Information Base or MIB. MIB objects are generally 105 accessed through the Simple Network Management Protocol (SNMP). 106 Objects in the MIB are defined using the mechanisms defined in the 107 Structure of Management Information (SMI). This memo specifies a MIB 108 module that is compliant to the SMIv2, which is described in STD 58, 109 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 110 [RFC2580]. 112 4. Scope of Changes 114 This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication 115 Client MIB, by deprecating the radiusAuthServerTable table and adding 116 a new table, radiusAuthServerExtTable, containing 117 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 118 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 119 objects is to support version neutral IP addressing formats. The 120 existing table containing radiusAuthServerAddress and 121 radiusAuthClientServerPortNumber is deprecated. The remaining MIB 122 objects are carried forward from RFC 2618 into this document. This 123 memo also adds UNITS and REFERENCE clauses to selected objects. 125 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 126 IPv6 addresses, contains the following recommendation. 128 'In particular, when revising a MIB module that contains IPv4 129 specific tables, it is suggested to define new tables using the 130 textual conventions defined in this memo [RFC 4001] that support all 131 versions of IP. The status of the new tables SHOULD be "current", 132 whereas the status of the old IP version specific tables SHOULD be 133 changed to "deprecated". The other approach, of having multiple 134 similar tables for different IP versions, is strongly discouraged.' 136 5. Structure of the MIB Module 138 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 139 distinguishes between the client function and the server function. 140 In RADIUS authentication, clients send Access-Requests, and servers 141 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 142 Typically Network Access Server (NAS) devices implement the client 143 function, and thus would be expected to implement the RADIUS 144 authentication client MIB, while RADIUS authentication servers 145 implement the server function, and thus would be expected to 146 implement the RADIUS authentication server MIB. 148 However, it is possible for a RADIUS authentication entity to perform 149 both client and server functions. For example, a RADIUS proxy may 150 act as a server to one or more RADIUS authentication clients, while 151 simultaneously acting as an authentication client to one or more 152 authentication servers. In such situations, it is expected that 153 RADIUS entities combining client and server functionality will 154 support both the client and server MIBs. 156 This MIB module contains two scalars as well as a single table, the 157 RADIUS Authentication Server Table, which contains one row for each 158 RADIUS authentication server with which the client shares a secret. 159 Each entry in the RADIUS Authentication Server Table includes fifteen 160 columns presenting a view of the activity of the RADIUS 161 authentication client. 163 6. Deprecated Objects 165 The deprecated table in this MIB is carried forward from RFC 2618 166 [RFC2618]. There are two conditions under which it MAY be desirable 167 for managed entities to continue to support the deprecated table: 169 1. The managed entity only supports IPv4 address formats. 170 2. The managed entity supports both IPv4 and IPv6 address formats, 171 and the deprecated table is supported for backwards compatibility 172 with older management stations. This option SHOULD only be used 173 when the IP addresses in the new table are in IPv4 format and can 174 accurately be represented in both the new table and the 175 deprecated table. 177 Managed entities SHOULD NOT instantiate row entries in the deprecated 178 table, containing IPv4-only address objects, when the RADIUS server 179 address represented in such a table row is not an IPv4 address. 180 Managed entities SHOULD NOT return inaccurate values of IP address or 181 SNMP object access errors for IPv4-only address objects in otherwise 182 populated tables. When row entries exist in both the deprecated 183 IPv4-only table and the new IP version neutral table that describe 184 the same RADIUS server, the row indexes SHOULD be the same for the 185 corresponding rows in each table, to facilitate correlation of these 186 related rows by management applications. 188 7. Definitions 190 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 192 IMPORTS 193 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 194 Counter32, Integer32, Gauge32, 195 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 196 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 197 InetAddressType, InetAddress, 198 InetPortNumber FROM INET-ADDRESS-MIB 199 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 201 radiusAuthClientMIB MODULE-IDENTITY 202 LAST-UPDATED "200601200000Z" -- 20 Jan 2006 203 ORGANIZATION "IETF RADIUS Extensions Working Group." 204 CONTACT-INFO 205 " Bernard Aboba 206 Microsoft 207 One Microsoft Way 208 Redmond, WA 98052 209 US 210 Phone: +1 425 936 6605 211 EMail: bernarda@microsoft.com" 212 DESCRIPTION 213 "The MIB module for entities implementing the client 214 side of the Remote Authentication Dial-In User Service 215 (RADIUS) authentication protocol." 216 REVISION "200601200000Z" -- 20 Jan 2006 217 DESCRIPTION "Revised version as published in RFC xxxx. This 218 version obsoletes that of RFC 2618 by deprecating the MIB 219 table containing IPv4-only address formats and defining a 220 new table to add support for version neutral IP address 221 formats. The remaining MIB objects from RFC 2618 are carried 222 forward into this version." 223 REVISION "9906110000Z" -- 11 Jun 1999 224 DESCRIPTION "Initial version as published in RFC 2618." 226 -- RFC Editor: replace xxxx with actual RFC number at the time of 227 -- publication, and remove this note. 229 ::= { radiusAuthentication 2 } 231 radiusMIB OBJECT-IDENTITY 232 STATUS current 233 DESCRIPTION 234 "The OID assigned to RADIUS MIB work by the IANA." 235 ::= { mib-2 67 } 237 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 239 radiusAuthClientMIBObjects OBJECT IDENTIFIER 240 ::= { radiusAuthClientMIB 1 } 242 radiusAuthClient OBJECT IDENTIFIER 243 ::= { radiusAuthClientMIBObjects 1 } 245 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 246 SYNTAX Counter32 247 UNITS "packets" 248 MAX-ACCESS read-only 249 STATUS current 250 DESCRIPTION 251 "The number of RADIUS Access-Response packets 252 received from unknown addresses." 253 ::= { radiusAuthClient 1 } 255 radiusAuthClientIdentifier OBJECT-TYPE 256 SYNTAX SnmpAdminString 257 MAX-ACCESS read-only 258 STATUS current 259 DESCRIPTION 260 "The NAS-Identifier of the RADIUS authentication client. 261 This is not necessarily the same as sysName in MIB II." 262 REFERENCE "RFC 2865 section 5.32" 263 ::= { radiusAuthClient 2 } 265 radiusAuthServerTable OBJECT-TYPE 266 SYNTAX SEQUENCE OF RadiusAuthServerEntry 267 MAX-ACCESS not-accessible 268 STATUS deprecated 269 DESCRIPTION 270 "The (conceptual) table listing the RADIUS authentication 271 servers with which the client shares a secret." 272 ::= { radiusAuthClient 3 } 274 radiusAuthServerEntry OBJECT-TYPE 275 SYNTAX RadiusAuthServerEntry 276 MAX-ACCESS not-accessible 277 STATUS deprecated 278 DESCRIPTION 279 "An entry (conceptual row) representing a RADIUS 280 authentication server with which the client shares 281 a secret." 282 INDEX { radiusAuthServerIndex } 283 ::= { radiusAuthServerTable 1 } 285 RadiusAuthServerEntry ::= SEQUENCE { 286 radiusAuthServerIndex Integer32, 287 radiusAuthServerAddress IpAddress, 288 radiusAuthClientServerPortNumber Integer32, 289 radiusAuthClientRoundTripTime TimeTicks, 290 radiusAuthClientAccessRequests Counter32, 291 radiusAuthClientAccessRetransmissions Counter32, 292 radiusAuthClientAccessAccepts Counter32, 293 radiusAuthClientAccessRejects Counter32, 294 radiusAuthClientAccessChallenges Counter32, 295 radiusAuthClientMalformedAccessResponses Counter32, 296 radiusAuthClientBadAuthenticators Counter32, 297 radiusAuthClientPendingRequests Gauge32, 298 radiusAuthClientTimeouts Counter32, 299 radiusAuthClientUnknownTypes Counter32, 300 radiusAuthClientPacketsDropped Counter32 301 } 303 radiusAuthServerIndex OBJECT-TYPE 304 SYNTAX Integer32 (1..2147483647) 305 MAX-ACCESS not-accessible 306 STATUS deprecated 307 DESCRIPTION 308 "A number uniquely identifying each RADIUS 309 Authentication server with which this client 310 communicates." 311 ::= { radiusAuthServerEntry 1 } 313 radiusAuthServerAddress OBJECT-TYPE 314 SYNTAX IpAddress 315 MAX-ACCESS read-only 316 STATUS deprecated 317 DESCRIPTION 318 "The IP address of the RADIUS authentication server 319 referred to in this table entry." 320 ::= { radiusAuthServerEntry 2 } 322 radiusAuthClientServerPortNumber OBJECT-TYPE 323 SYNTAX Integer32 (0..65535) 324 MAX-ACCESS read-only 325 STATUS deprecated 326 DESCRIPTION 327 "The UDP port the client is using to send requests to 328 this server." 329 REFERENCE "RFC 2865 section 3" 330 ::= { radiusAuthServerEntry 3 } 332 radiusAuthClientRoundTripTime OBJECT-TYPE 333 SYNTAX TimeTicks 334 MAX-ACCESS read-only 335 STATUS deprecated 336 DESCRIPTION 337 "The time interval (in hundredths of a second) between 338 the most recent Access-Reply/Access-Challenge and the 339 Access-Request that matched it from this RADIUS 340 authentication server." 341 ::= { radiusAuthServerEntry 4 } 343 -- Request/Response statistics 344 -- 345 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 346 -- UnknownTypes 347 -- 348 -- TotalIncomingPackets - MalformedResponses - 349 -- BadAuthenticators - UnknownTypes - PacketsDropped = 350 -- Successfully received 351 -- 352 -- AccessRequests + PendingRequests + ClientTimeouts = 353 -- Successfully received 354 -- 355 -- 357 radiusAuthClientAccessRequests OBJECT-TYPE 358 SYNTAX Counter32 359 UNITS "packets" 360 MAX-ACCESS read-only 361 STATUS deprecated 362 DESCRIPTION 363 "The number of RADIUS Access-Request packets sent 364 to this server. This does not include retransmissions." 365 REFERENCE "RFC 2865 section 4.1" 366 ::= { radiusAuthServerEntry 5 } 368 radiusAuthClientAccessRetransmissions OBJECT-TYPE 369 SYNTAX Counter32 370 UNITS "packets" 371 MAX-ACCESS read-only 372 STATUS deprecated 373 DESCRIPTION 374 "The number of RADIUS Access-Request packets 375 retransmitted to this RADIUS authentication server." 376 REFERENCE "RFC 2865 sections 2.5, 4.1" 377 ::= { radiusAuthServerEntry 6 } 379 radiusAuthClientAccessAccepts OBJECT-TYPE 380 SYNTAX Counter32 381 UNITS "packets" 382 MAX-ACCESS read-only 383 STATUS deprecated 384 DESCRIPTION 385 "The number of RADIUS Access-Accept packets 386 (valid or invalid) received from this server." 387 REFERENCE "RFC 2865 section 4.2" 388 ::= { radiusAuthServerEntry 7 } 390 radiusAuthClientAccessRejects OBJECT-TYPE 391 SYNTAX Counter32 392 UNITS "packets" 393 MAX-ACCESS read-only 394 STATUS deprecated 395 DESCRIPTION 396 "The number of RADIUS Access-Reject packets 397 (valid or invalid) received from this server." 398 REFERENCE "RFC 2865 section 4.3" 399 ::= { radiusAuthServerEntry 8 } 401 radiusAuthClientAccessChallenges OBJECT-TYPE 402 SYNTAX Counter32 403 UNITS "packets" 404 MAX-ACCESS read-only 405 STATUS deprecated 406 DESCRIPTION 407 "The number of RADIUS Access-Challenge packets 408 (valid or invalid) received from this server." 409 REFERENCE "RFC 2865 section 4.4" 410 ::= { radiusAuthServerEntry 9 } 412 -- "Access-Response" includes an Access-Accept, Access-Challenge 413 -- or Access-Reject 415 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 416 SYNTAX Counter32 417 UNITS "packets" 418 MAX-ACCESS read-only 419 STATUS deprecated 420 DESCRIPTION 421 "The number of malformed RADIUS Access-Response 422 packets received from this server. 423 Malformed packets include packets with 424 an invalid length. Bad authenticators or 425 Message Authenticator attributes or unknown types 426 are not included as malformed access responses." 427 ::= { radiusAuthServerEntry 10 } 429 radiusAuthClientBadAuthenticators OBJECT-TYPE 430 SYNTAX Counter32 431 UNITS "packets" 432 MAX-ACCESS read-only 433 STATUS deprecated 434 DESCRIPTION 435 "The number of RADIUS Access-Response packets 436 containing invalid authenticators or Message 437 Authenticator attributes received from this server." 438 REFERENCE "RFC 2865 section 3, RFC 2869 section 5.14" 439 ::= { radiusAuthServerEntry 11 } 441 radiusAuthClientPendingRequests OBJECT-TYPE 442 SYNTAX Gauge32 443 MAX-ACCESS read-only 444 STATUS deprecated 445 DESCRIPTION 446 "The number of RADIUS Access-Request packets 447 destined for this server that have not yet timed out 448 or received a response. This variable is incremented 449 when an Access-Request is sent and decremented due to 450 receipt of an Access-Accept, Access-Reject or 451 Access-Challenge, a timeout or retransmission." 452 REFERENCE "RFC 2865 section 2" 453 ::= { radiusAuthServerEntry 12 } 455 radiusAuthClientTimeouts OBJECT-TYPE 456 SYNTAX Counter32 457 UNITS "timeouts" 458 MAX-ACCESS read-only 459 STATUS deprecated 460 DESCRIPTION 461 "The number of authentication timeouts to this server. 462 After a timeout the client may retry to the same 463 server, send to a different server, or 464 give up. A retry to the same server is counted as a 465 retransmit as well as a timeout. A send to a different 466 server is counted as a Request as well as a timeout." 467 REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" 468 ::= { radiusAuthServerEntry 13 } 470 radiusAuthClientUnknownTypes OBJECT-TYPE 471 SYNTAX Counter32 472 UNITS "packets" 473 MAX-ACCESS read-only 474 STATUS deprecated 475 DESCRIPTION 476 "The number of RADIUS packets of unknown type which 477 were received from this server on the authentication 478 port." 479 ::= { radiusAuthServerEntry 14 } 481 radiusAuthClientPacketsDropped OBJECT-TYPE 482 SYNTAX Counter32 483 UNITS "packets" 484 MAX-ACCESS read-only 485 STATUS deprecated 486 DESCRIPTION 487 "The number of RADIUS packets of which were 488 received from this server on the authentication port 489 and dropped for some other reason." 490 ::= { radiusAuthServerEntry 15 } 492 -- New MIB Objects in this revision 494 radiusAuthServerExtTable OBJECT-TYPE 495 SYNTAX SEQUENCE OF RadiusAuthServerExtEntry 496 MAX-ACCESS not-accessible 497 STATUS current 498 DESCRIPTION 499 "The (conceptual) table listing the RADIUS authentication 500 servers with which the client shares a secret." 501 ::= { radiusAuthClient 4 } 503 radiusAuthServerExtEntry OBJECT-TYPE 504 SYNTAX RadiusAuthServerExtEntry 505 MAX-ACCESS not-accessible 506 STATUS current 507 DESCRIPTION 508 "An entry (conceptual row) representing a RADIUS 509 authentication server with which the client shares 510 a secret." 511 INDEX { radiusAuthServerExtIndex } 512 ::= { radiusAuthServerExtTable 1 } 514 RadiusAuthServerExtEntry ::= SEQUENCE { 515 radiusAuthServerExtIndex Integer32, 516 radiusAuthServerInetAddressType InetAddressType, 517 radiusAuthServerInetAddress InetAddress, 518 radiusAuthClientServerInetPortNumber InetPortNumber, 519 radiusAuthClientExtRoundTripTime TimeTicks, 520 radiusAuthClientExtAccessRequests Counter32, 521 radiusAuthClientExtAccessRetransmissions Counter32, 522 radiusAuthClientExtAccessAccepts Counter32, 523 radiusAuthClientExtAccessRejects Counter32, 524 radiusAuthClientExtAccessChallenges Counter32, 525 radiusAuthClientExtMalformedAccessResponses Counter32, 526 radiusAuthClientExtBadAuthenticators Counter32, 527 radiusAuthClientExtPendingRequests Gauge32, 528 radiusAuthClientExtTimeouts Counter32, 529 radiusAuthClientExtUnknownTypes Counter32, 530 radiusAuthClientExtPacketsDropped Counter32 531 } 533 radiusAuthServerExtIndex OBJECT-TYPE 534 SYNTAX Integer32 (1..2147483647) 535 MAX-ACCESS not-accessible 536 STATUS current 537 DESCRIPTION 538 "A number uniquely identifying each RADIUS 539 Authentication server with which this client 540 communicates." 541 ::= { radiusAuthServerExtEntry 1 } 543 radiusAuthServerInetAddressType OBJECT-TYPE 544 SYNTAX InetAddressType 545 MAX-ACCESS read-only 546 STATUS current 547 DESCRIPTION 548 "The type of address format used for the 549 radiusAuthServerInetAddress object." 550 ::= { radiusAuthServerExtEntry 2 } 552 radiusAuthServerInetAddress OBJECT-TYPE 553 SYNTAX InetAddress 554 MAX-ACCESS read-only 555 STATUS current 556 DESCRIPTION 557 "The IP address of the RADIUS authentication 558 server referred to in this table entry, using 559 the version neutral IP address format." 560 ::= { radiusAuthServerExtEntry 3 } 562 radiusAuthClientServerInetPortNumber OBJECT-TYPE 563 SYNTAX InetPortNumber 564 MAX-ACCESS read-only 565 STATUS current 566 DESCRIPTION 567 "The UDP port the client is using to send requests 568 to this server." 569 REFERENCE "RFC 2865 section 3" 570 ::= { radiusAuthServerExtEntry 4 } 572 radiusAuthClientExtRoundTripTime OBJECT-TYPE 573 SYNTAX TimeTicks 574 MAX-ACCESS read-only 575 STATUS current 576 DESCRIPTION 577 "The time interval (in hundredths of a second) between 578 the most recent Access-Reply/Access-Challenge and the 579 Access-Request that matched it from this RADIUS 580 authentication server." 581 REFERENCE "RFC 2865 section 2" 582 ::= { radiusAuthServerExtEntry 5 } 584 -- Request/Response statistics 585 -- 586 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 587 -- UnknownTypes 588 -- 589 -- TotalIncomingPackets - MalformedResponses - 590 -- BadAuthenticators - UnknownTypes - PacketsDropped = 591 -- Successfully received 592 -- 593 -- AccessRequests + PendingRequests + ClientTimeouts = 594 -- Successfully received 595 -- 596 -- 598 radiusAuthClientExtAccessRequests OBJECT-TYPE 599 SYNTAX Counter32 600 UNITS "packets" 601 MAX-ACCESS read-only 602 STATUS current 603 DESCRIPTION 604 "The number of RADIUS Access-Request packets sent 605 to this server. This does not include retransmissions." 606 REFERENCE "RFC 2865 section 4.1" 607 ::= { radiusAuthServerExtEntry 6 } 609 radiusAuthClientExtAccessRetransmissions OBJECT-TYPE 610 SYNTAX Counter32 611 UNITS "packets" 612 MAX-ACCESS read-only 613 STATUS current 614 DESCRIPTION 615 "The number of RADIUS Access-Request packets 616 retransmitted to this RADIUS authentication server." 617 REFERENCE "RFC 2865 sections 2.5, 4.1" 618 ::= { radiusAuthServerExtEntry 7 } 620 radiusAuthClientExtAccessAccepts OBJECT-TYPE 621 SYNTAX Counter32 622 UNITS "packets" 623 MAX-ACCESS read-only 624 STATUS current 625 DESCRIPTION 626 "The number of RADIUS Access-Accept packets 627 (valid or invalid) received from this server." 628 REFERENCE "RFC 2865 section 4.2" 629 ::= { radiusAuthServerExtEntry 8 } 631 radiusAuthClientExtAccessRejects OBJECT-TYPE 632 SYNTAX Counter32 633 UNITS "packets" 634 MAX-ACCESS read-only 635 STATUS current 636 DESCRIPTION 637 "The number of RADIUS Access-Reject packets 638 (valid or invalid) received from this server." 640 REFERENCE "RFC 2865 section 4.3" 641 ::= { radiusAuthServerExtEntry 9 } 643 radiusAuthClientExtAccessChallenges OBJECT-TYPE 644 SYNTAX Counter32 645 UNITS "packets" 646 MAX-ACCESS read-only 647 STATUS current 648 DESCRIPTION 649 "The number of RADIUS Access-Challenge packets 650 (valid or invalid) received from this server." 651 REFERENCE "RFC 2865 section 4.4" 652 ::= { radiusAuthServerExtEntry 10 } 654 -- "Access-Response" includes an Access-Accept, Access-Challenge 655 -- or Access-Reject 657 radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE 658 SYNTAX Counter32 659 UNITS "packets" 660 MAX-ACCESS read-only 661 STATUS current 662 DESCRIPTION 663 "The number of malformed RADIUS Access-Response 664 packets received from this server. 665 Malformed packets include packets with 666 an invalid length. Bad authenticators or 667 Message Authenticator attributes or unknown types 668 are not included as malformed access responses." 669 REFERENCE "RFC 2865 sections 3, 4" 670 ::= { radiusAuthServerExtEntry 11 } 672 radiusAuthClientExtBadAuthenticators OBJECT-TYPE 673 SYNTAX Counter32 674 UNITS "packets" 675 MAX-ACCESS read-only 676 STATUS current 677 DESCRIPTION 678 "The number of RADIUS Access-Response packets 679 containing invalid authenticators or Message 680 Authenticator attributes received from this server." 681 REFERENCE "RFC 2865 section 3" 682 ::= { radiusAuthServerExtEntry 12 } 684 radiusAuthClientExtPendingRequests OBJECT-TYPE 685 SYNTAX Gauge32 686 UNITS "packets" 687 MAX-ACCESS read-only 688 STATUS current 689 DESCRIPTION 690 "The number of RADIUS Access-Request packets 691 destined for this server that have not yet timed out 692 or received a response. This variable is incremented 693 when an Access-Request is sent and decremented due to 694 receipt of an Access-Accept, Access-Reject or 695 Access-Challenge, a timeout or retransmission." 696 REFERENCE "RFC 2865 section 2" 697 ::= { radiusAuthServerExtEntry 13 } 699 radiusAuthClientExtTimeouts OBJECT-TYPE 700 SYNTAX Counter32 701 UNITS "timeouts" 702 MAX-ACCESS read-only 703 STATUS current 704 DESCRIPTION 705 "The number of authentication timeouts to this server. 706 After a timeout the client may retry to the same 707 server, send to a different server, or 708 give up. A retry to the same server is counted as a 709 retransmit as well as a timeout. A send to a different 710 server is counted as a Request as well as a timeout." 711 REFERENCE "RFC 2865 sections 2.5, 4.1" 712 ::= { radiusAuthServerExtEntry 14 } 714 radiusAuthClientExtUnknownTypes OBJECT-TYPE 715 SYNTAX Counter32 716 UNITS "packets" 717 MAX-ACCESS read-only 718 STATUS current 719 DESCRIPTION 720 "The number of RADIUS packets of unknown type which 721 were received from this server on the authentication 722 port." 723 REFERENCE "RFC 2865 section 4" 724 ::= { radiusAuthServerExtEntry 15 } 726 radiusAuthClientExtPacketsDropped OBJECT-TYPE 727 SYNTAX Counter32 728 UNITS "packets" 729 MAX-ACCESS read-only 730 STATUS current 731 DESCRIPTION 732 "The number of RADIUS packets of which were 733 received from this server on the authentication port 734 and dropped for some other reason." 735 ::= { radiusAuthServerExtEntry 16 } 737 -- conformance information 739 radiusAuthClientMIBConformance OBJECT IDENTIFIER 740 ::= { radiusAuthClientMIB 2 } 742 radiusAuthClientMIBCompliances OBJECT IDENTIFIER 743 ::= { radiusAuthClientMIBConformance 1 } 745 radiusAuthClientMIBGroups OBJECT IDENTIFIER 746 ::= { radiusAuthClientMIBConformance 2 } 748 -- compliance statements 750 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 751 STATUS deprecated 752 DESCRIPTION 753 "The compliance statement for authentication clients 754 implementing the RADIUS Authentication Client MIB. 755 Implementation of this module is for IPv4-only 756 entities, or for backwards compatibility use with 757 entities that support both IPv4 and IPv6." 758 MODULE -- this module 759 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 761 ::= { radiusAuthClientMIBCompliances 1 } 763 radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE 764 STATUS current 765 DESCRIPTION 766 "The compliance statement for authentication 767 clients implementing the RADIUS Authentication 768 Client IPv6 Extensions MIB. Implementation of 769 this module is for entities that support IPv6, 770 or support IPv4 and IPv6." 771 MODULE -- this module 772 MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } 774 ::= { radiusAuthClientMIBCompliances 2 } 776 -- units of conformance 778 radiusAuthClientMIBGroup OBJECT-GROUP 779 OBJECTS { radiusAuthClientIdentifier, 780 radiusAuthClientInvalidServerAddresses, 781 radiusAuthServerAddress, 782 radiusAuthClientServerPortNumber, 783 radiusAuthClientRoundTripTime, 784 radiusAuthClientAccessRequests, 785 radiusAuthClientAccessRetransmissions, 786 radiusAuthClientAccessAccepts, 787 radiusAuthClientAccessRejects, 788 radiusAuthClientAccessChallenges, 789 radiusAuthClientMalformedAccessResponses, 790 radiusAuthClientBadAuthenticators, 791 radiusAuthClientPendingRequests, 792 radiusAuthClientTimeouts, 793 radiusAuthClientUnknownTypes, 794 radiusAuthClientPacketsDropped 795 } 796 STATUS deprecated 797 DESCRIPTION 798 "The basic collection of objects providing management of 799 RADIUS Authentication Clients." 800 ::= { radiusAuthClientMIBGroups 1 } 802 radiusAuthClientExtMIBGroup OBJECT-GROUP 803 OBJECTS { radiusAuthClientIdentifier, 804 radiusAuthClientInvalidServerAddresses, 805 radiusAuthServerInetAddressType, 806 radiusAuthServerInetAddress, 807 radiusAuthClientServerInetPortNumber, 808 radiusAuthClientExtRoundTripTime, 809 radiusAuthClientExtAccessRequests, 810 radiusAuthClientExtAccessRetransmissions, 811 radiusAuthClientExtAccessAccepts, 812 radiusAuthClientExtAccessRejects, 813 radiusAuthClientExtAccessChallenges, 814 radiusAuthClientExtMalformedAccessResponses, 815 radiusAuthClientExtBadAuthenticators, 816 radiusAuthClientExtPendingRequests, 817 radiusAuthClientExtTimeouts, 818 radiusAuthClientExtUnknownTypes, 819 radiusAuthClientExtPacketsDropped 820 } 821 STATUS current 822 DESCRIPTION 823 "The collection of extended objects providing 824 management of RADIUS Authentication Clients 825 using version neutral IP address format." 826 ::= { radiusAuthClientMIBGroups 2 } 828 END 830 8. IANA Considerations 832 This document requires no new IANA assignments. 834 9. Security Considerations 836 There are no management objects defined in this MIB that have a MAX- 837 ACCESS clause of read-write and/or read-create. So, if this MIB is 838 implemented correctly, then there is no risk that an intruder can 839 alter or create any management objects of this MIB via direct SNMP 840 SET operations. 842 Some of the readable objects in this MIB module (i.e., objects with a 843 MAX-ACCESS other than not-accessible) may be considered sensitive or 844 vulnerable in some network environments. It is thus important to 845 control even GET and/or NOTIFY access to these objects and possibly 846 to even encrypt the values of these objects when sending them over 847 the network via SNMP. These are the tables and objects and their 848 sensitivity/vulnerability: 850 radiusAuthServerIPAddress This can be used to determine the address 851 of the RADIUS authentication server with which the client is 852 communicating. This information could be useful in mounting an 853 attack on the authentication server. 855 radiusAuthServerInetAddress This can be used to determine the address 856 of the RADIUS authentication server with which the client is 857 communicating. This information could be useful in mounting an 858 attack on the authentication server. 860 radiusAuthClientServerInetPortNumber This can be used to determine 861 the port number on which the RADIUS authentication client is 862 sending. This information could be useful in impersonating the 863 client in order to send data to the authentication server. 865 SNMP versions prior to SNMPv3 did not include adequate security. 866 Even if the network itself is secure (for example by using IPsec), 867 even then, there is no control as to who on the secure network is 868 allowed to access and GET/SET (read/change/create/delete) the objects 869 in this MIB module. 871 It is RECOMMENDED that implementers consider the security features as 872 provided by the SNMPv3 framework (see [RFC3410], section 8), 873 including full support for the SNMPv3 cryptographic mechanisms (for 874 authentication and privacy). 876 Further, deployment of SNMP versions prior to SNMPv3 is NOT 877 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 878 enable cryptographic security. It is then a customer/operator 879 responsibility to ensure that the SNMP entity giving access to an 880 instance of this MIB module is properly configured to give access to 881 the objects only to those principals (users) that have legitimate 882 rights to indeed GET or SET (change/create/delete) them 884 10. Normative References 886 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 887 Requirement Levels", BCP 14, RFC 2119, March 1997. 889 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 890 (USM) for version 3 of the Simple Network Management 891 Protocol (SNMPv3)", RFC 2574, April 1999. 893 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 894 Access Control Model (VACM) for the Simple Network 895 Management Protocol (SNMP)", RFC 2575, April 1999. 897 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 898 Schoenwaelder, Ed., "Structure of Management Information 899 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 901 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 902 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 903 STD 58, RFC 2579, April 1999. 905 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 906 "Conformance Statements for SMIv2", STD 58, RFC 2580, 907 April 1999. 909 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 910 RFC 2618, June 1999. 912 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 913 "Remote Authentication Dial In User Service (RADIUS)", 914 RFC 2865, June 2000. 916 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 917 "Introduction and Applicability Statements for Internet- 918 Standard Management Framework", RFC 3410, December 2002. 920 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 921 Architecture for Describing Simple Network Management 922 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 923 December 2002. 925 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 926 Simple Network Management Protocol (SNMP)", STD 62, 927 RFC 3418, December 2002. 929 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 930 Schoenwaelder, "Textual Conventions for Internet Network 931 Addresses", RFC 4001, February 2005. 933 Appendix A. Acknowledgments 935 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 937 Many thanks to all reviewers, especially to Dave Harrington, Dan 938 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 940 Author's Address 942 David B. Nelson 943 Enterasys Networks 944 50 Minuteman Road 945 Andover, MA 01810 946 USA 948 Email: dnelson@enterasys.com 950 Intellectual Property Statement 952 The IETF takes no position regarding the validity or scope of any 953 Intellectual Property Rights or other rights that might be claimed to 954 pertain to the implementation or use of the technology described in 955 this document or the extent to which any license under such rights 956 might or might not be available; nor does it represent that it has 957 made any independent effort to identify any such rights. Information 958 on the procedures with respect to rights in RFC documents can be 959 found in BCP 78 and BCP 79. 961 Copies of IPR disclosures made to the IETF Secretariat and any 962 assurances of licenses to be made available, or the result of an 963 attempt made to obtain a general license or permission for the use of 964 such proprietary rights by implementers or users of this 965 specification can be obtained from the IETF on-line IPR repository at 966 http://www.ietf.org/ipr. 968 The IETF invites any interested party to bring to its attention any 969 copyrights, patents or patent applications, or other proprietary 970 rights that may cover technology that may be required to implement 971 this standard. Please address the information to the IETF at 972 ietf-ipr@ietf.org. 974 Disclaimer of Validity 976 This document and the information contained herein are provided on an 977 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 978 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 979 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 980 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 981 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 982 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 984 Copyright Statement 986 Copyright (C) The Internet Society (2006). This document is subject 987 to the rights, licenses and restrictions contained in BCP 78, and 988 except as set forth therein, the authors retain all their rights. 990 Acknowledgment 992 Funding for the RFC Editor function is currently provided by the 993 Internet Society.