idnits 2.17.1 draft-ietf-radext-rfc2618bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1043. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1020. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1027. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1033. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 12, 2006) is 6558 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2618 (Obsoleted by RFC 4668) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2618 (if approved) May 12, 2006 5 Expires: November 13, 2006 7 RADIUS Auth Client MIB (IPv6) 8 draft-ietf-radext-rfc2618bis-03.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on November 13, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions which instrument RADIUS 42 authentication client functions. These extensions represent a 43 portion of the Management Information Base (MIB) for use with network 44 management protocols in the Internet community. Using these 45 extensions IP-based management stations can manage RADIUS 46 authentication clients. 48 This memo obsoletes RFC 2618 by deprecating the MIB table containing 49 IPv4-only address formats and defining a new table to add support for 50 version neutral IP address formats. The remaining MIB objects from 51 RFC 2618 are carried forward into this document. The memo also adds 52 UNITS and REFERENCE clauses to selected objects. 54 Table of Contents 56 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The Internet-Standard Management Framework . . . . . . . . . . 3 59 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 64 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 65 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 66 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 67 10.2. Informative References . . . . . . . . . . . . . . . . . 22 68 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 70 Intellectual Property and Copyright Statements . . . . . . . . . . 24 72 1. Terminology 74 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 75 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 76 document are to be interpreted as described in RFC 2119 [RFC2119]. 78 This document uses terminology from RFC 2865 [RFC2865]. 80 This document uses the word "malformed" with respect to RADIUS 81 packets, particularly in the context of counters of "malformed 82 packets". While RFC 2865 does not provide an explicit definition of 83 "malformed", malformed generally means that the implementation has 84 determined the packet does not match the format defined in RFC 2865. 85 Some implementations may determine that packets are malformed when 86 the Vendor Specific Attribute (VSA) format does not follow the RFC 87 2865 recommendations for VSAs. Those implementations are used in 88 deployments today, and thus set the de-facto definition of 89 "malformed". 91 2. Introduction 93 This memo defines a portion of the Management Information Base (MIB) 94 for use with network management protocols in the Internet community. 95 The objects defined within this memo relate to the Remote 96 Authentication Dial-In User Service (RADIUS) Authentication Client as 97 defined in RFC 2865 [RFC2865]. 99 3. The Internet-Standard Management Framework 101 For a detailed overview of the documents that describe the current 102 Internet-Standard Management Framework, please refer to section 7 of 103 RFC 3410 [RFC3410]. 105 Managed objects are accessed via a virtual information store, termed 106 the Management Information Base or MIB. MIB objects are generally 107 accessed through the Simple Network Management Protocol (SNMP). 108 Objects in the MIB are defined using the mechanisms defined in the 109 Structure of Management Information (SMI). This memo specifies a MIB 110 module that is compliant to the SMIv2, which is described in STD 58, 111 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 112 [RFC2580]. 114 4. Scope of Changes 116 This document obsoletes RFC 2618 [RFC2618], RADIUS Authentication 117 Client MIB, by deprecating the radiusAuthServerTable table and adding 118 a new table, radiusAuthServerExtTable, containing 119 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 120 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 121 objects is to support version neutral IP addressing formats. The 122 existing table containing radiusAuthServerAddress and 123 radiusAuthClientServerPortNumber is deprecated. The remaining MIB 124 objects are carried forward from RFC 2618 into this document. This 125 memo also adds UNITS and REFERENCE clauses to selected objects. 127 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 128 IPv6 addresses, contains the following recommendation. 130 'In particular, when revising a MIB module that contains IPv4 131 specific tables, it is suggested to define new tables using the 132 textual conventions defined in this memo [RFC4001] that support all 133 versions of IP. The status of the new tables SHOULD be "current", 134 whereas the status of the old IP version specific tables SHOULD be 135 changed to "deprecated". The other approach, of having multiple 136 similar tables for different IP versions, is strongly discouraged.' 138 5. Structure of the MIB Module 140 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 141 distinguishes between the client function and the server function. 142 In RADIUS authentication, clients send Access-Requests, and servers 143 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 144 Typically Network Access Server (NAS) devices implement the client 145 function, and thus would be expected to implement the RADIUS 146 authentication client MIB, while RADIUS authentication servers 147 implement the server function, and thus would be expected to 148 implement the RADIUS authentication server MIB. 150 However, it is possible for a RADIUS authentication entity to perform 151 both client and server functions. For example, a RADIUS proxy may 152 act as a server to one or more RADIUS authentication clients, while 153 simultaneously acting as an authentication client to one or more 154 authentication servers. In such situations, it is expected that 155 RADIUS entities combining client and server functionality will 156 support both the client and server MIBs. 158 This MIB module contains two scalars as well as a single table, the 159 RADIUS Authentication Server Table, which contains one row for each 160 RADIUS authentication server with which the client shares a secret. 161 Each entry in the RADIUS Authentication Server Table includes sixteen 162 columns presenting a view of the activity of the RADIUS 163 authentication client. 165 6. Deprecated Objects 167 The deprecated table in this MIB is carried forward from RFC 2618 168 [RFC2618]. There are two conditions under which it MAY be desirable 169 for managed entities to continue to support the deprecated table: 171 1. The managed entity only supports IPv4 address formats. 172 2. The managed entity supports both IPv4 and IPv6 address formats, 173 and the deprecated table is supported for backwards compatibility 174 with older management stations. This option SHOULD only be used 175 when the IP addresses in the new table are in IPv4 format and can 176 accurately be represented in both the new table and the 177 deprecated table. 179 Managed entities SHOULD NOT instantiate row entries in the deprecated 180 table, containing IPv4-only address objects, when the RADIUS server 181 address represented in such a table row is not an IPv4 address. 182 Managed entities SHOULD NOT return inaccurate values of IP address or 183 SNMP object access errors for IPv4-only address objects in otherwise 184 populated tables. When row entries exist in both the deprecated 185 IPv4-only table and the new IP version neutral table that describe 186 the same RADIUS server, the row indexes SHOULD be the same for the 187 corresponding rows in each table, to facilitate correlation of these 188 related rows by management applications. 190 7. Definitions 192 RADIUS-AUTH-CLIENT-MIB DEFINITIONS ::= BEGIN 194 IMPORTS 195 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 196 Counter32, Integer32, Gauge32, 197 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 198 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 199 InetAddressType, InetAddress, 200 InetPortNumber FROM INET-ADDRESS-MIB 201 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 203 radiusAuthClientMIB MODULE-IDENTITY 204 LAST-UPDATED "200605100000Z" -- 10 May 2006 205 ORGANIZATION "IETF RADIUS Extensions Working Group." 206 CONTACT-INFO 207 " Bernard Aboba 208 Microsoft 209 One Microsoft Way 210 Redmond, WA 98052 211 US 212 Phone: +1 425 936 6605 213 EMail: bernarda@microsoft.com" 214 DESCRIPTION 215 "The MIB module for entities implementing the client 216 side of the Remote Authentication Dial-In User Service 217 (RADIUS) authentication protocol. Copyright (C) The 218 Internet Society (2006). This version of this MIB 219 module is part of RFC xxxx; see the RFC itself for 220 full legal notices." 222 -- RFC Editor: replace xxxx with actual RFC number at the time of 223 -- publication, and remove this note. 225 REVISION "200605100000Z" -- 10 May 2006 226 DESCRIPTION 227 "Revised version as published in RFC xxxx. This 228 version obsoletes that of RFC 2618 by deprecating 229 the MIB table containing IPv4-only address formats 230 and defining a new table to add support for version 231 neutral IP address formats. The remaining MIB objects 232 from RFC 2618 are carried forward into this version." 234 -- RFC Editor: replace xxxx with actual RFC number at the time of 235 -- publication, and remove this note. 237 REVISION "199906110000Z" -- 11 Jun 1999 238 DESCRIPTION "Initial version as published in RFC 2618." 239 ::= { radiusAuthentication 2 } 241 radiusMIB OBJECT-IDENTITY 242 STATUS current 243 DESCRIPTION 244 "The OID assigned to RADIUS MIB work by the IANA." 245 ::= { mib-2 67 } 247 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 249 radiusAuthClientMIBObjects OBJECT IDENTIFIER 250 ::= { radiusAuthClientMIB 1 } 252 radiusAuthClient OBJECT IDENTIFIER 253 ::= { radiusAuthClientMIBObjects 1 } 255 radiusAuthClientInvalidServerAddresses OBJECT-TYPE 256 SYNTAX Counter32 257 UNITS "packets" 258 MAX-ACCESS read-only 259 STATUS current 260 DESCRIPTION 261 "The number of RADIUS Access-Response packets 262 received from unknown addresses." 263 ::= { radiusAuthClient 1 } 265 radiusAuthClientIdentifier OBJECT-TYPE 266 SYNTAX SnmpAdminString 267 MAX-ACCESS read-only 268 STATUS current 269 DESCRIPTION 270 "The NAS-Identifier of the RADIUS authentication client. 271 This is not necessarily the same as sysName in MIB II." 272 REFERENCE "RFC 2865 section 5.32" 273 ::= { radiusAuthClient 2 } 275 radiusAuthServerTable OBJECT-TYPE 276 SYNTAX SEQUENCE OF RadiusAuthServerEntry 277 MAX-ACCESS not-accessible 278 STATUS deprecated 279 DESCRIPTION 280 "The (conceptual) table listing the RADIUS authentication 281 servers with which the client shares a secret." 282 ::= { radiusAuthClient 3 } 284 radiusAuthServerEntry OBJECT-TYPE 285 SYNTAX RadiusAuthServerEntry 286 MAX-ACCESS not-accessible 287 STATUS deprecated 288 DESCRIPTION 289 "An entry (conceptual row) representing a RADIUS 290 authentication server with which the client shares 291 a secret." 292 INDEX { radiusAuthServerIndex } 293 ::= { radiusAuthServerTable 1 } 295 RadiusAuthServerEntry ::= SEQUENCE { 296 radiusAuthServerIndex Integer32, 297 radiusAuthServerAddress IpAddress, 298 radiusAuthClientServerPortNumber Integer32, 299 radiusAuthClientRoundTripTime TimeTicks, 300 radiusAuthClientAccessRequests Counter32, 301 radiusAuthClientAccessRetransmissions Counter32, 302 radiusAuthClientAccessAccepts Counter32, 303 radiusAuthClientAccessRejects Counter32, 304 radiusAuthClientAccessChallenges Counter32, 305 radiusAuthClientMalformedAccessResponses Counter32, 306 radiusAuthClientBadAuthenticators Counter32, 307 radiusAuthClientPendingRequests Gauge32, 308 radiusAuthClientTimeouts Counter32, 309 radiusAuthClientUnknownTypes Counter32, 310 radiusAuthClientPacketsDropped Counter32 311 } 313 radiusAuthServerIndex OBJECT-TYPE 314 SYNTAX Integer32 (1..2147483647) 315 MAX-ACCESS not-accessible 316 STATUS deprecated 317 DESCRIPTION 318 "A number uniquely identifying each RADIUS 319 Authentication server with which this client 320 communicates." 321 ::= { radiusAuthServerEntry 1 } 323 radiusAuthServerAddress OBJECT-TYPE 324 SYNTAX IpAddress 325 MAX-ACCESS read-only 326 STATUS deprecated 327 DESCRIPTION 328 "The IP address of the RADIUS authentication server 329 referred to in this table entry." 330 ::= { radiusAuthServerEntry 2 } 332 radiusAuthClientServerPortNumber OBJECT-TYPE 333 SYNTAX Integer32 (0..65535) 334 MAX-ACCESS read-only 335 STATUS deprecated 336 DESCRIPTION 337 "The UDP port the client is using to send requests to 338 this server." 339 REFERENCE "RFC 2865 section 3" 340 ::= { radiusAuthServerEntry 3 } 342 radiusAuthClientRoundTripTime OBJECT-TYPE 343 SYNTAX TimeTicks 344 MAX-ACCESS read-only 345 STATUS deprecated 346 DESCRIPTION 347 "The time interval (in hundredths of a second) between 348 the most recent Access-Reply/Access-Challenge and the 349 Access-Request that matched it from this RADIUS 350 authentication server." 351 ::= { radiusAuthServerEntry 4 } 353 -- Request/Response statistics 354 -- 355 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 356 -- UnknownTypes 357 -- 358 -- TotalIncomingPackets - MalformedResponses - 359 -- BadAuthenticators - UnknownTypes - PacketsDropped = 360 -- Successfully received 361 -- 362 -- AccessRequests + PendingRequests + ClientTimeouts = 363 -- Successfully received 364 -- 365 -- 367 radiusAuthClientAccessRequests OBJECT-TYPE 368 SYNTAX Counter32 369 UNITS "packets" 370 MAX-ACCESS read-only 371 STATUS deprecated 372 DESCRIPTION 373 "The number of RADIUS Access-Request packets sent 374 to this server. This does not include retransmissions." 375 REFERENCE "RFC 2865 section 4.1" 376 ::= { radiusAuthServerEntry 5 } 378 radiusAuthClientAccessRetransmissions OBJECT-TYPE 379 SYNTAX Counter32 380 UNITS "packets" 381 MAX-ACCESS read-only 382 STATUS deprecated 383 DESCRIPTION 384 "The number of RADIUS Access-Request packets 385 retransmitted to this RADIUS authentication server." 386 REFERENCE "RFC 2865 sections 2.5, 4.1" 387 ::= { radiusAuthServerEntry 6 } 389 radiusAuthClientAccessAccepts OBJECT-TYPE 390 SYNTAX Counter32 391 UNITS "packets" 392 MAX-ACCESS read-only 393 STATUS deprecated 394 DESCRIPTION 395 "The number of RADIUS Access-Accept packets 396 (valid or invalid) received from this server." 397 REFERENCE "RFC 2865 section 4.2" 398 ::= { radiusAuthServerEntry 7 } 400 radiusAuthClientAccessRejects OBJECT-TYPE 401 SYNTAX Counter32 402 UNITS "packets" 403 MAX-ACCESS read-only 404 STATUS deprecated 405 DESCRIPTION 406 "The number of RADIUS Access-Reject packets 407 (valid or invalid) received from this server." 408 REFERENCE "RFC 2865 section 4.3" 409 ::= { radiusAuthServerEntry 8 } 411 radiusAuthClientAccessChallenges OBJECT-TYPE 412 SYNTAX Counter32 413 UNITS "packets" 414 MAX-ACCESS read-only 415 STATUS deprecated 416 DESCRIPTION 417 "The number of RADIUS Access-Challenge packets 418 (valid or invalid) received from this server." 419 REFERENCE "RFC 2865 section 4.4" 420 ::= { radiusAuthServerEntry 9 } 422 -- "Access-Response" includes an Access-Accept, Access-Challenge 423 -- or Access-Reject 425 radiusAuthClientMalformedAccessResponses OBJECT-TYPE 426 SYNTAX Counter32 427 UNITS "packets" 428 MAX-ACCESS read-only 429 STATUS deprecated 430 DESCRIPTION 431 "The number of malformed RADIUS Access-Response 432 packets received from this server. 433 Malformed packets include packets with 434 an invalid length. Bad authenticators or 435 Message Authenticator attributes or unknown types 436 are not included as malformed access responses." 437 ::= { radiusAuthServerEntry 10 } 439 radiusAuthClientBadAuthenticators OBJECT-TYPE 440 SYNTAX Counter32 441 UNITS "packets" 442 MAX-ACCESS read-only 443 STATUS deprecated 444 DESCRIPTION 445 "The number of RADIUS Access-Response packets 446 containing invalid authenticators or Message 447 Authenticator attributes received from this server." 448 REFERENCE "RFC 2865 section 3, RFC 2869 section 5.14" 449 ::= { radiusAuthServerEntry 11 } 451 radiusAuthClientPendingRequests OBJECT-TYPE 452 SYNTAX Gauge32 453 MAX-ACCESS read-only 454 STATUS deprecated 455 DESCRIPTION 456 "The number of RADIUS Access-Request packets 457 destined for this server that have not yet timed out 458 or received a response. This variable is incremented 459 when an Access-Request is sent and decremented due to 460 receipt of an Access-Accept, Access-Reject or 461 Access-Challenge, a timeout or retransmission." 462 REFERENCE "RFC 2865 section 2" 463 ::= { radiusAuthServerEntry 12 } 465 radiusAuthClientTimeouts OBJECT-TYPE 466 SYNTAX Counter32 467 UNITS "timeouts" 468 MAX-ACCESS read-only 469 STATUS deprecated 470 DESCRIPTION 471 "The number of authentication timeouts to this server. 472 After a timeout the client may retry to the same 473 server, send to a different server, or 474 give up. A retry to the same server is counted as a 475 retransmit as well as a timeout. A send to a different 476 server is counted as a Request as well as a timeout." 477 REFERENCE "RFC 2865 section 2, RFC 2869 section 2.3.2" 478 ::= { radiusAuthServerEntry 13 } 480 radiusAuthClientUnknownTypes OBJECT-TYPE 481 SYNTAX Counter32 482 UNITS "packets" 483 MAX-ACCESS read-only 484 STATUS deprecated 485 DESCRIPTION 486 "The number of RADIUS packets of unknown type which 487 were received from this server on the authentication 488 port." 489 ::= { radiusAuthServerEntry 14 } 491 radiusAuthClientPacketsDropped OBJECT-TYPE 492 SYNTAX Counter32 493 UNITS "packets" 494 MAX-ACCESS read-only 495 STATUS deprecated 496 DESCRIPTION 497 "The number of RADIUS packets of which were 498 received from this server on the authentication port 499 and dropped for some other reason." 500 ::= { radiusAuthServerEntry 15 } 502 -- New MIB Objects in this revision 504 radiusAuthServerExtTable OBJECT-TYPE 505 SYNTAX SEQUENCE OF RadiusAuthServerExtEntry 506 MAX-ACCESS not-accessible 507 STATUS current 508 DESCRIPTION 509 "The (conceptual) table listing the RADIUS authentication 510 servers with which the client shares a secret." 511 ::= { radiusAuthClient 4 } 513 radiusAuthServerExtEntry OBJECT-TYPE 514 SYNTAX RadiusAuthServerExtEntry 515 MAX-ACCESS not-accessible 516 STATUS current 517 DESCRIPTION 518 "An entry (conceptual row) representing a RADIUS 519 authentication server with which the client shares 520 a secret." 521 INDEX { radiusAuthServerExtIndex } 522 ::= { radiusAuthServerExtTable 1 } 524 RadiusAuthServerExtEntry ::= SEQUENCE { 525 radiusAuthServerExtIndex Integer32, 526 radiusAuthServerInetAddressType InetAddressType, 527 radiusAuthServerInetAddress InetAddress, 528 radiusAuthClientServerInetPortNumber InetPortNumber, 529 radiusAuthClientExtRoundTripTime TimeTicks, 530 radiusAuthClientExtAccessRequests Counter32, 531 radiusAuthClientExtAccessRetransmissions Counter32, 532 radiusAuthClientExtAccessAccepts Counter32, 533 radiusAuthClientExtAccessRejects Counter32, 534 radiusAuthClientExtAccessChallenges Counter32, 535 radiusAuthClientExtMalformedAccessResponses Counter32, 536 radiusAuthClientExtBadAuthenticators Counter32, 537 radiusAuthClientExtPendingRequests Gauge32, 538 radiusAuthClientExtTimeouts Counter32, 539 radiusAuthClientExtUnknownTypes Counter32, 540 radiusAuthClientExtPacketsDropped Counter32, 541 radiusAuthClientCounterDiscontinuity TimeTicks 542 } 544 radiusAuthServerExtIndex OBJECT-TYPE 545 SYNTAX Integer32 (1..2147483647) 546 MAX-ACCESS not-accessible 547 STATUS current 548 DESCRIPTION 549 "A number uniquely identifying each RADIUS 550 Authentication server with which this client 551 communicates." 552 ::= { radiusAuthServerExtEntry 1 } 554 radiusAuthServerInetAddressType OBJECT-TYPE 555 SYNTAX InetAddressType 556 MAX-ACCESS read-only 557 STATUS current 558 DESCRIPTION 559 "The type of address format used for the 560 radiusAuthServerInetAddress object." 561 ::= { radiusAuthServerExtEntry 2 } 563 radiusAuthServerInetAddress OBJECT-TYPE 564 SYNTAX InetAddress 565 MAX-ACCESS read-only 566 STATUS current 567 DESCRIPTION 568 "The IP address of the RADIUS authentication 569 server referred to in this table entry, using 570 the version neutral IP address format." 571 ::= { radiusAuthServerExtEntry 3 } 573 radiusAuthClientServerInetPortNumber OBJECT-TYPE 574 SYNTAX InetPortNumber ( 1..65535 ) 575 MAX-ACCESS read-only 576 STATUS current 577 DESCRIPTION 578 "The UDP port the client is using to send requests 579 to this server. The value of zero (0) is invalid." 580 REFERENCE "RFC 2865 section 3" 581 ::= { radiusAuthServerExtEntry 4 } 583 radiusAuthClientExtRoundTripTime OBJECT-TYPE 584 SYNTAX TimeTicks 585 MAX-ACCESS read-only 586 STATUS current 587 DESCRIPTION 588 "The time interval (in hundredths of a second) between 589 the most recent Access-Reply/Access-Challenge and the 590 Access-Request that matched it from this RADIUS 591 authentication server." 592 REFERENCE "RFC 2865 section 2" 593 ::= { radiusAuthServerExtEntry 5 } 595 -- Request/Response statistics 596 -- 597 -- TotalIncomingPackets = Accepts + Rejects + Challenges + 598 -- UnknownTypes 599 -- 600 -- TotalIncomingPackets - MalformedResponses - 601 -- BadAuthenticators - UnknownTypes - PacketsDropped = 602 -- Successfully received 603 -- 604 -- AccessRequests + PendingRequests + ClientTimeouts = 605 -- Successfully received 606 -- 607 -- 609 radiusAuthClientExtAccessRequests OBJECT-TYPE 610 SYNTAX Counter32 611 UNITS "packets" 612 MAX-ACCESS read-only 613 STATUS current 614 DESCRIPTION 615 "The number of RADIUS Access-Request packets sent 616 to this server. This does not include retransmissions. 617 This counter may experience a discontinuity when the 618 RADIUS Client module within the managed entity is 619 reinitialized, as indicated by the current value of 620 radiusAuthClientCounterDiscontinuity." 621 REFERENCE "RFC 2865 section 4.1" 622 ::= { radiusAuthServerExtEntry 6 } 624 radiusAuthClientExtAccessRetransmissions OBJECT-TYPE 625 SYNTAX Counter32 626 UNITS "packets" 627 MAX-ACCESS read-only 628 STATUS current 629 DESCRIPTION 630 "The number of RADIUS Access-Request packets 631 retransmitted to this RADIUS authentication server. 632 This counter may experience a discontinuity when 633 the RADIUS Client module within the managed entity 634 is reinitialized, as indicated by the current value 635 of radiusAuthClientCounterDiscontinuity." 636 REFERENCE "RFC 2865 sections 2.5, 4.1" 637 ::= { radiusAuthServerExtEntry 7 } 639 radiusAuthClientExtAccessAccepts OBJECT-TYPE 640 SYNTAX Counter32 641 UNITS "packets" 642 MAX-ACCESS read-only 643 STATUS current 644 DESCRIPTION 645 "The number of RADIUS Access-Accept packets 646 (valid or invalid) received from this server. 647 This counter may experience a discontinuity when 648 the RADIUS Client module within the managed entity 649 is reinitialized, as indicated by the current value 650 of radiusAuthClientCounterDiscontinuity." 651 REFERENCE "RFC 2865 section 4.2" 652 ::= { radiusAuthServerExtEntry 8 } 654 radiusAuthClientExtAccessRejects OBJECT-TYPE 655 SYNTAX Counter32 656 UNITS "packets" 657 MAX-ACCESS read-only 658 STATUS current 659 DESCRIPTION 660 "The number of RADIUS Access-Reject packets 661 (valid or invalid) received from this server. 662 This counter may experience a discontinuity when 663 the RADIUS Client module within the managed 664 entity is reinitialized, as indicated by the 665 current value of 666 radiusAuthClientCounterDiscontinuity." 667 REFERENCE "RFC 2865 section 4.3" 668 ::= { radiusAuthServerExtEntry 9 } 670 radiusAuthClientExtAccessChallenges OBJECT-TYPE 671 SYNTAX Counter32 672 UNITS "packets" 673 MAX-ACCESS read-only 674 STATUS current 675 DESCRIPTION 676 "The number of RADIUS Access-Challenge packets 677 (valid or invalid) received from this server. 678 This counter may experience a discontinuity when 679 the RADIUS Client module within the managed 680 entity is reinitialized, as indicated by the 681 current value of 682 radiusAuthClientCounterDiscontinuity." 683 REFERENCE "RFC 2865 section 4.4" 684 ::= { radiusAuthServerExtEntry 10 } 686 -- "Access-Response" includes an Access-Accept, Access-Challenge 687 -- or Access-Reject 688 radiusAuthClientExtMalformedAccessResponses OBJECT-TYPE 689 SYNTAX Counter32 690 UNITS "packets" 691 MAX-ACCESS read-only 692 STATUS current 693 DESCRIPTION 694 "The number of malformed RADIUS Access-Response 695 packets received from this server. 696 Malformed packets include packets with 697 an invalid length. Bad authenticators or 698 Message Authenticator attributes or unknown types 699 are not included as malformed access responses. 700 This counter may experience a discontinuity when 701 the RADIUS Client module within the managed entity 702 is reinitialized, as indicated by the current value 703 of radiusAuthClientCounterDiscontinuity." 704 REFERENCE "RFC 2865 sections 3, 4" 705 ::= { radiusAuthServerExtEntry 11 } 707 radiusAuthClientExtBadAuthenticators OBJECT-TYPE 708 SYNTAX Counter32 709 UNITS "packets" 710 MAX-ACCESS read-only 711 STATUS current 712 DESCRIPTION 713 "The number of RADIUS Access-Response packets 714 containing invalid authenticators or Message 715 Authenticator attributes received from this server. 716 This counter may experience a discontinuity when 717 the RADIUS Client module within the managed entity 718 is reinitialized, as indicated by the current value 719 of radiusAuthClientCounterDiscontinuity." 720 REFERENCE "RFC 2865 section 3" 721 ::= { radiusAuthServerExtEntry 12 } 723 radiusAuthClientExtPendingRequests OBJECT-TYPE 724 SYNTAX Gauge32 725 UNITS "packets" 726 MAX-ACCESS read-only 727 STATUS current 728 DESCRIPTION 729 "The number of RADIUS Access-Request packets 730 destined for this server that have not yet timed out 731 or received a response. This variable is incremented 732 when an Access-Request is sent and decremented due to 733 receipt of an Access-Accept, Access-Reject or 734 Access-Challenge, a timeout or retransmission." 735 REFERENCE "RFC 2865 section 2" 736 ::= { radiusAuthServerExtEntry 13 } 738 radiusAuthClientExtTimeouts OBJECT-TYPE 739 SYNTAX Counter32 740 UNITS "timeouts" 741 MAX-ACCESS read-only 742 STATUS current 743 DESCRIPTION 744 "The number of authentication timeouts to this server. 745 After a timeout the client may retry to the same 746 server, send to a different server, or 747 give up. A retry to the same server is counted as a 748 retransmit as well as a timeout. A send to a different 749 server is counted as a Request as well as a timeout. 750 This counter may experience a discontinuity when the 751 RADIUS Client module within the managed entity is 752 reinitialized, as indicated by the current value of 753 radiusAuthClientCounterDiscontinuity." 754 REFERENCE "RFC 2865 sections 2.5, 4.1" 755 ::= { radiusAuthServerExtEntry 14 } 757 radiusAuthClientExtUnknownTypes OBJECT-TYPE 758 SYNTAX Counter32 759 UNITS "packets" 760 MAX-ACCESS read-only 761 STATUS current 762 DESCRIPTION 763 "The number of RADIUS packets of unknown type which 764 were received from this server on the authentication 765 port. This counter may experience a discontinuity 766 when the RADIUS Client module within the managed 767 entity is reinitialized, as indicated by the current 768 value of radiusAuthClientCounterDiscontinuity." 769 REFERENCE "RFC 2865 section 4" 770 ::= { radiusAuthServerExtEntry 15 } 772 radiusAuthClientExtPacketsDropped OBJECT-TYPE 773 SYNTAX Counter32 774 UNITS "packets" 775 MAX-ACCESS read-only 776 STATUS current 777 DESCRIPTION 778 "The number of RADIUS packets of which were 779 received from this server on the authentication port 780 and dropped for some other reason. This counter may 781 experience a discontinuity when the RADIUS Client 782 module within the managed entity is reinitialized, 783 as indicated by the current value of 784 radiusAuthClientCounterDiscontinuity." 785 ::= { radiusAuthServerExtEntry 16 } 787 radiusAuthClientCounterDiscontinuity OBJECT-TYPE 788 SYNTAX TimeTicks 789 UNITS "centiseconds" 790 MAX-ACCESS read-only 791 STATUS current 792 DESCRIPTION 793 "The number of centiseconds since the last discontinuity 794 in the RADIUS Client counters. A discontinuity may 795 be the result of a reinitialization of the RADIUS 796 Client module within the managed entity." 797 ::= { radiusAuthServerExtEntry 17 } 799 -- conformance information 801 radiusAuthClientMIBConformance OBJECT IDENTIFIER 802 ::= { radiusAuthClientMIB 2 } 804 radiusAuthClientMIBCompliances OBJECT IDENTIFIER 805 ::= { radiusAuthClientMIBConformance 1 } 807 radiusAuthClientMIBGroups OBJECT IDENTIFIER 808 ::= { radiusAuthClientMIBConformance 2 } 810 -- compliance statements 812 radiusAuthClientMIBCompliance MODULE-COMPLIANCE 813 STATUS deprecated 814 DESCRIPTION 815 "The compliance statement for authentication clients 816 implementing the RADIUS Authentication Client MIB. 817 Implementation of this module is for IPv4-only 818 entities, or for backwards compatibility use with 819 entities that support both IPv4 and IPv6." 820 MODULE -- this module 821 MANDATORY-GROUPS { radiusAuthClientMIBGroup } 823 ::= { radiusAuthClientMIBCompliances 1 } 825 radiusAuthClientExtMIBCompliance MODULE-COMPLIANCE 826 STATUS current 827 DESCRIPTION 828 "The compliance statement for authentication 829 clients implementing the RADIUS Authentication 830 Client IPv6 Extensions MIB. Implementation of 831 this module is for entities that support IPv6, 832 or support IPv4 and IPv6." 833 MODULE -- this module 834 MANDATORY-GROUPS { radiusAuthClientExtMIBGroup } 836 OBJECT radiusAuthServerInetAddressType 837 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 838 DESCRIPTION 839 "An implementation is only required to support 840 IPv4 and globally unique IPv6 addresses." 842 OBJECT radiusAuthServerInetAddress 843 SYNTAX InetAddress ( SIZE (4|16) ) 844 DESCRIPTION 845 "An implementation is only required to support 846 IPv4 and globally unique IPv6 addresses." 847 ::= { radiusAuthClientMIBCompliances 2 } 849 -- units of conformance 851 radiusAuthClientMIBGroup OBJECT-GROUP 852 OBJECTS { radiusAuthClientIdentifier, 853 radiusAuthClientInvalidServerAddresses, 854 radiusAuthServerAddress, 855 radiusAuthClientServerPortNumber, 856 radiusAuthClientRoundTripTime, 857 radiusAuthClientAccessRequests, 858 radiusAuthClientAccessRetransmissions, 859 radiusAuthClientAccessAccepts, 860 radiusAuthClientAccessRejects, 861 radiusAuthClientAccessChallenges, 862 radiusAuthClientMalformedAccessResponses, 863 radiusAuthClientBadAuthenticators, 864 radiusAuthClientPendingRequests, 865 radiusAuthClientTimeouts, 866 radiusAuthClientUnknownTypes, 867 radiusAuthClientPacketsDropped 868 } 869 STATUS deprecated 870 DESCRIPTION 871 "The basic collection of objects providing management of 872 RADIUS Authentication Clients." 873 ::= { radiusAuthClientMIBGroups 1 } 875 radiusAuthClientExtMIBGroup OBJECT-GROUP 876 OBJECTS { radiusAuthClientIdentifier, 877 radiusAuthClientInvalidServerAddresses, 878 radiusAuthServerInetAddressType, 879 radiusAuthServerInetAddress, 880 radiusAuthClientServerInetPortNumber, 881 radiusAuthClientExtRoundTripTime, 882 radiusAuthClientExtAccessRequests, 883 radiusAuthClientExtAccessRetransmissions, 884 radiusAuthClientExtAccessAccepts, 885 radiusAuthClientExtAccessRejects, 886 radiusAuthClientExtAccessChallenges, 887 radiusAuthClientExtMalformedAccessResponses, 888 radiusAuthClientExtBadAuthenticators, 889 radiusAuthClientExtPendingRequests, 890 radiusAuthClientExtTimeouts, 891 radiusAuthClientExtUnknownTypes, 892 radiusAuthClientExtPacketsDropped, 893 radiusAuthClientCounterDiscontinuity 894 } 895 STATUS current 896 DESCRIPTION 897 "The collection of extended objects providing 898 management of RADIUS Authentication Clients 899 using version neutral IP address format." 900 ::= { radiusAuthClientMIBGroups 2 } 902 END 904 8. IANA Considerations 906 This document requires no new IANA assignments. 908 9. Security Considerations 910 There are no management objects defined in this MIB that have a MAX- 911 ACCESS clause of read-write and/or read-create. So, if this MIB is 912 implemented correctly, then there is no risk that an intruder can 913 alter or create any management objects of this MIB via direct SNMP 914 SET operations. 916 Some of the readable objects in this MIB module (i.e., objects with a 917 MAX-ACCESS other than not-accessible) may be considered sensitive or 918 vulnerable in some network environments. It is thus important to 919 control even GET and/or NOTIFY access to these objects and possibly 920 to even encrypt the values of these objects when sending them over 921 the network via SNMP. These are the tables and objects and their 922 sensitivity/vulnerability: 924 radiusAuthServerIPAddress This can be used to determine the address 925 of the RADIUS authentication server with which the client is 926 communicating. This information could be useful in mounting an 927 attack on the authentication server. 929 radiusAuthServerInetAddress This can be used to determine the address 930 of the RADIUS authentication server with which the client is 931 communicating. This information could be useful in mounting an 932 attack on the authentication server. 934 radiusAuthClientServerInetPortNumber This can be used to determine 935 the port number on which the RADIUS authentication client is 936 sending. This information could be useful in impersonating the 937 client in order to send data to the authentication server. 939 SNMP versions prior to SNMPv3 did not include adequate security. 940 Even if the network itself is secure (for example by using IPsec), 941 even then, there is no control as to who on the secure network is 942 allowed to access and GET/SET (read/change/create/delete) the objects 943 in this MIB module. 945 It is RECOMMENDED that implementers consider the security features as 946 provided by the SNMPv3 framework (see [RFC3410], section 8), 947 including full support for the SNMPv3 cryptographic mechanisms (for 948 authentication and privacy). 950 Further, deployment of SNMP versions prior to SNMPv3 is NOT 951 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 952 enable cryptographic security. It is then a customer/operator 953 responsibility to ensure that the SNMP entity giving access to an 954 instance of this MIB module is properly configured to give access to 955 the objects only to those principals (users) that have legitimate 956 rights to indeed GET or SET (change/create/delete) them. 958 10. References 960 10.1. Normative References 962 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 963 Requirement Levels", BCP 14, RFC 2119, March 1997. 965 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 966 Schoenwaelder, Ed., "Structure of Management Information 967 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 969 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 970 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 971 STD 58, RFC 2579, April 1999. 973 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 974 "Conformance Statements for SMIv2", STD 58, RFC 2580, 975 April 1999. 977 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 978 "Remote Authentication Dial In User Service (RADIUS)", 979 RFC 2865, June 2000. 981 10.2. Informative References 983 [RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client MIB", 984 RFC 2618, June 1999. 986 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 987 "Introduction and Applicability Statements for Internet- 988 Standard Management Framework", RFC 3410, December 2002. 990 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 991 Schoenwaelder, "Textual Conventions for Internet Network 992 Addresses", RFC 4001, February 2005. 994 Appendix A. Acknowledgments 996 The authors of the original MIB are Bernard Aboba and Glen Zorn. 998 Many thanks to all reviewers, especially to Dave Harrington, Dan 999 Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. 1001 Author's Address 1003 David B. Nelson 1004 Enterasys Networks 1005 50 Minuteman Road 1006 Andover, MA 01810 1007 USA 1009 Email: dnelson@enterasys.com 1011 Intellectual Property Statement 1013 The IETF takes no position regarding the validity or scope of any 1014 Intellectual Property Rights or other rights that might be claimed to 1015 pertain to the implementation or use of the technology described in 1016 this document or the extent to which any license under such rights 1017 might or might not be available; nor does it represent that it has 1018 made any independent effort to identify any such rights. Information 1019 on the procedures with respect to rights in RFC documents can be 1020 found in BCP 78 and BCP 79. 1022 Copies of IPR disclosures made to the IETF Secretariat and any 1023 assurances of licenses to be made available, or the result of an 1024 attempt made to obtain a general license or permission for the use of 1025 such proprietary rights by implementers or users of this 1026 specification can be obtained from the IETF on-line IPR repository at 1027 http://www.ietf.org/ipr. 1029 The IETF invites any interested party to bring to its attention any 1030 copyrights, patents or patent applications, or other proprietary 1031 rights that may cover technology that may be required to implement 1032 this standard. Please address the information to the IETF at 1033 ietf-ipr@ietf.org. 1035 Disclaimer of Validity 1037 This document and the information contained herein are provided on an 1038 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1039 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1040 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1041 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1042 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1043 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1045 Copyright Statement 1047 Copyright (C) The Internet Society (2006). This document is subject 1048 to the rights, licenses and restrictions contained in BCP 78, and 1049 except as set forth therein, the authors retain all their rights. 1051 Acknowledgment 1053 Funding for the RFC Editor function is currently provided by the 1054 Internet Society.