idnits 2.17.1 draft-ietf-radext-rfc2619bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 962. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 939. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 946. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 952. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year (Using the creation date from RFC2619, updated by this document, for RFC5378 checks: 1997-08-26) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 30, 2005) is 6813 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 109, but not defined == Unused Reference: 'RFC3418' is defined on line 896, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Updates: RFC 2619 (if approved) August 30, 2005 5 Expires: March 3, 2006 7 RADIUS Auth Server MIB (IPv6) 8 draft-ietf-radext-rfc2619bis-00.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on March 3, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo updates RFC 2619 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. 45 Table of Contents 47 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 48 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 3. The Internet-Standard Management Framework . . . . . . . . . . 3 50 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 51 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 52 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 53 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 55 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 56 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 57 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 58 10.2. Informative References . . . . . . . . . . . . . . . . . 21 59 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 60 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 61 Intellectual Property and Copyright Statements . . . . . . . . . . 23 63 1. Terminology 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in RFC 2119 [RFC2119]. 69 This document uses terminology from RFC 2865 [RFC2865]. 71 2. Introduction 73 This memo defines a portion of the Management Information Base (MIB) 74 for use with network management protocols in the Internet community. 75 The objects defined within this memo relate to the Remote 76 Authentication Dial-In User Service (RADIUS) Authentication Server as 77 defined in RFC 2865 [RFC2865]. 79 3. The Internet-Standard Management Framework 81 For a detailed overview of the documents that describe the current 82 Internet-Standard Management Framework, please refer to section 7 of 83 RFC 3410 [RFC3410]. 85 Managed objects are accessed via a virtual information store, termed 86 the Management Information Base or MIB. MIB objects are generally 87 accessed through the Simple Network Management Protocol (SNMP). 88 Objects in the MIB are defined using the mechanisms defined in the 89 Structure of Management Information (SMI). This memo specifies a MIB 90 module that is compliant to the SMIv2, which is described in STD 58, 91 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 92 [RFC2580]. 94 4. Scope of Changes 96 This document updates RFC 2619 [RFC2619], RADIUS Authentication 97 Server MIB, by deprecating the radiusAuthClientTable table and adding 98 a new table, radiusAuthClientExtTable, containing 99 radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The 100 purpose of these added MIB objects is to support version neutral IP 101 addressing formats. The existing table containing 102 radiusAuthClientAddress is deprecated. 104 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 105 version neutral IP addresses, contains the following recommendation. 107 'In particular, when revising a MIB module that contains IPv4 108 specific tables, it is suggested to define new tables using the 109 textual conventions defined in this memo [RFC 4001] that support all 110 versions of IP. The status of the new tables SHOULD be "current", 111 whereas the status of the old IP version specific tables SHOULD be 112 changed to "deprecated". The other approach, of having multiple 113 similar tables for different IP versions, is strongly discouraged.' 115 5. Structure of the MIB Module 117 The structure of the MIB Module defined in this memo corresponds to 118 the structure of the MIB Module defined in RADIUS Authentication 119 Server MIB, RFC 2619 [RFC2619]. This MIB module contains fourteen 120 scalars as well as a single table, the RADIUS Authentication Client 121 Table, which contains one row for each RADIUS authentication client 122 with which the server shares a secret. 124 Each entry in the RADIUS Authentication Client Table includes 125 thirteen columns presenting a view of the activity of the RADIUS 126 authentication server. 128 6. Deprecated Objects 130 The deprecated table in this MIB is carried forward from RFC 2619 131 [RFC2619]. There are two conditions under which it MAY be desirable 132 for managed entities to continue to support the deprecated table: 134 1. The managed entity only supports IPv4 address formats. 135 2. The managed entity supports both IPv4 and IPv6 address formats, 136 and the deprecated table is supported for backwards compatibility 137 with older management stations. This option SHOULD only be used 138 when the IP addresses in the new table are in IPv4 format and can 139 accurately be represented in both the new table and the 140 deprecated table. 142 Managed entities SHOULD NOT instantiate the deprecated table 143 containing IPv4-only address objects when the RADIUS server address 144 represented in the table row is not an IPv4 address. Managed 145 entities SHOULD NOT return inaccurate values of IP address or SNMP 146 object access errors for IPv4-only address objects in otherwise 147 populated tables. 149 7. Definitions 151 4. Definitions 152 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 154 IMPORTS 155 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 156 Counter32, Integer32, 157 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 158 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 159 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 160 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 162 radiusAuthServMIB MODULE-IDENTITY 163 LAST-UPDATED "20050830000Z" -- 30 Aug 2005 164 ORGANIZATION "IETF RADIUS Extensions Working Group." 165 CONTACT-INFO 166 " Bernard Aboba 167 Microsoft 168 One Microsoft Way 169 Redmond, WA 98052 170 US 171 Phone: +1 425 936 6605 172 EMail: bernarda@microsoft.com" 173 DESCRIPTION 174 "The MIB module for entities implementing the server 175 side of the Remote Authentication Dial-In User 176 Service (RADIUS) authentication protocol." 177 REVISION "9906110000Z" -- 11 Jun 1999 178 DESCRIPTION "Initial version as published in RFC 2619" 179 REVISION "200508300000Z" -- 30 Aug 2005 180 DESCRIPTION "Revised version as published in RFC xxxx." 182 -- RFC Editor: replace xxxx with actual RFC number at the time of 183 -- publication, and remove this note. 185 ::= { radiusAuthentication 1 } 187 radiusMIB OBJECT-IDENTITY 188 STATUS current 189 DESCRIPTION 190 "The OID assigned to RADIUS MIB work by the IANA." 191 ::= { mib-2 67 } 193 radiusAuthServerExtMIB OBJECT-IDENTITY 194 STATUS current 195 DESCRIPTION 196 "The OID assigned to RADIUS Extensions MIB 197 work by the IANA." 198 ::= { mib-2 TBA } 200 -- RFC Editor: replace TBA with IANA assigned OID value, and 201 -- remove this note. 203 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 205 radiusAuthServMIBObjects OBJECT IDENTIFIER 206 ::= { radiusAuthServMIB 1 } 208 radiusAuthServ OBJECT IDENTIFIER 209 ::= { radiusAuthServMIBObjects 1 } 211 radiusAuthServerExtMIBNotifications OBJECT IDENTIFIER 212 ::= { radiusAuthServerExtMIB 0 } 214 radiusAuthServerExtMIBObjects OBJECT IDENTIFIER 215 ::= { radiusAuthServerExtMIB 1 } 217 radiusAuthServIdent OBJECT-TYPE 218 SYNTAX SnmpAdminString 219 MAX-ACCESS read-only 220 STATUS current 221 DESCRIPTION 222 "The implementation identification string for the 223 RADIUS authentication server software in use on the 224 system, for example; `FNS-2.1'" 225 ::= {radiusAuthServ 1} 227 radiusAuthServUpTime OBJECT-TYPE 228 SYNTAX TimeTicks 229 MAX-ACCESS read-only 230 STATUS current 231 DESCRIPTION 232 "If the server has a persistent state (e.g., a 233 process), this value will be the time elapsed (in 234 hundredths of a second) since the server process 235 was started. For software without persistent state, 236 this value will be zero." 237 ::= {radiusAuthServ 2} 239 radiusAuthServResetTime OBJECT-TYPE 240 SYNTAX TimeTicks 241 MAX-ACCESS read-only 242 STATUS current 243 DESCRIPTION 244 "If the server has a persistent state (e.g., a process) 245 and supports a `reset' operation (e.g., can be told to 246 re-read configuration files), this value will be the 247 time elapsed (in hundredths of a second) since the 248 server was `reset.' For software that does not 249 have persistence or does not support a `reset' 250 operation, this value will be zero." 251 ::= {radiusAuthServ 3} 253 radiusAuthServConfigReset OBJECT-TYPE 254 SYNTAX INTEGER { other(1), 255 reset(2), 256 initializing(3), 257 running(4)} 258 MAX-ACCESS read-write 259 STATUS current 260 DESCRIPTION 261 "Status/action object to reinitialize any persistent 262 server state. When set to reset(2), any persistent 263 server state (such as a process) is reinitialized as 264 if the server had just been started. This value will 265 never be returned by a read operation. When read, 266 one of the following values will be returned: 267 other(1) - server in some unknown state; 268 initializing(3) - server (re)initializing; 269 running(4) - server currently running." 270 ::= {radiusAuthServ 4} 272 radiusAuthServTotalAccessRequests OBJECT-TYPE 273 SYNTAX Counter32 274 MAX-ACCESS read-only 275 STATUS current 276 DESCRIPTION 277 "The number of packets received on the 278 authentication port." 279 ::= { radiusAuthServ 5} 281 radiusAuthServTotalInvalidRequests OBJECT-TYPE 282 SYNTAX Counter32 283 MAX-ACCESS read-only 284 STATUS current 285 DESCRIPTION 286 "The number of RADIUS Access-Request packets 287 received from unknown addresses." 288 ::= { radiusAuthServ 6 } 290 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 291 SYNTAX Counter32 292 MAX-ACCESS read-only 293 STATUS current 294 DESCRIPTION 295 "The number of duplicate RADIUS Access-Request 296 packets received." 297 ::= { radiusAuthServ 7 } 299 radiusAuthServTotalAccessAccepts OBJECT-TYPE 300 SYNTAX Counter32 301 MAX-ACCESS read-only 302 STATUS current 303 DESCRIPTION 304 "The number of RADIUS Access-Accept packets sent." 305 ::= { radiusAuthServ 8 } 307 radiusAuthServTotalAccessRejects OBJECT-TYPE 308 SYNTAX Counter32 309 MAX-ACCESS read-only 310 STATUS current 311 DESCRIPTION 312 "The number of RADIUS Access-Reject packets sent." 313 ::= { radiusAuthServ 9 } 315 radiusAuthServTotalAccessChallenges OBJECT-TYPE 316 SYNTAX Counter32 317 MAX-ACCESS read-only 318 STATUS current 319 DESCRIPTION 320 "The number of RADIUS Access-Challenge packets sent." 321 ::= { radiusAuthServ 10 } 323 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 324 SYNTAX Counter32 325 MAX-ACCESS read-only 326 STATUS current 327 DESCRIPTION 328 "The number of malformed RADIUS Access-Request 329 packets received. Bad authenticators 330 and unknown types are not included as 331 malformed Access-Requests." 332 ::= { radiusAuthServ 11 } 334 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 335 SYNTAX Counter32 336 MAX-ACCESS read-only 337 STATUS current 338 DESCRIPTION 339 "The number of RADIUS Authentication-Request packets 340 which contained invalid Message Authenticator 341 attributes received." 342 ::= { radiusAuthServ 12 } 344 radiusAuthServTotalPacketsDropped OBJECT-TYPE 345 SYNTAX Counter32 346 MAX-ACCESS read-only 347 STATUS current 348 DESCRIPTION 349 "The number of incoming packets 350 silently discarded for some reason other 351 than malformed, bad authenticators or 352 unknown types." 353 ::= { radiusAuthServ 13 } 355 radiusAuthServTotalUnknownTypes OBJECT-TYPE 356 SYNTAX Counter32 357 MAX-ACCESS read-only 358 STATUS current 359 DESCRIPTION 360 "The number of RADIUS packets of unknown type which 361 were received." 362 ::= { radiusAuthServ 14 } 364 radiusAuthClientTable OBJECT-TYPE 365 SYNTAX SEQUENCE OF RadiusAuthClientEntry 366 MAX-ACCESS not-accessible 367 STATUS deprecated 368 DESCRIPTION 369 "The (conceptual) table listing the RADIUS 370 authentication clients with which the server shares 371 a secret." 372 ::= { radiusAuthServ 15 } 374 radiusAuthClientEntry OBJECT-TYPE 375 SYNTAX RadiusAuthClientEntry 376 MAX-ACCESS not-accessible 377 STATUS deprecated 378 DESCRIPTION 379 "An entry (conceptual row) representing a RADIUS 380 authentication client with which the server shares a 381 secret." 382 INDEX { radiusAuthClientIndex } 383 ::= { radiusAuthClientTable 1 } 385 RadiusAuthClientEntry ::= SEQUENCE { 386 radiusAuthClientIndex Integer32, 387 radiusAuthClientAddress IpAddress, 388 radiusAuthClientID SnmpAdminString, 389 radiusAuthServAccessRequests Counter32, 390 radiusAuthServDupAccessRequests Counter32, 391 radiusAuthServAccessAccepts Counter32, 392 radiusAuthServAccessRejects Counter32, 393 radiusAuthServAccessChallenges Counter32, 394 radiusAuthServMalformedAccessRequests Counter32, 395 radiusAuthServBadAuthenticators Counter32, 396 radiusAuthServPacketsDropped Counter32, 397 radiusAuthServUnknownTypes Counter32 398 } 400 radiusAuthClientIndex OBJECT-TYPE 401 SYNTAX Integer32 (1..2147483647) 402 MAX-ACCESS not-accessible 403 STATUS deprecated 404 DESCRIPTION 405 "A number uniquely identifying each RADIUS 406 authentication client with which this server 407 communicates." 408 ::= { radiusAuthClientEntry 1 } 410 radiusAuthClientAddress OBJECT-TYPE 411 SYNTAX IpAddress 412 MAX-ACCESS read-only 413 STATUS deprecated 414 DESCRIPTION 415 "The NAS-IP-Address of the RADIUS authentication client 416 referred to in this table entry." 417 ::= { radiusAuthClientEntry 2 } 419 radiusAuthClientID OBJECT-TYPE 420 SYNTAX SnmpAdminString 421 MAX-ACCESS read-only 422 STATUS deprecated 423 DESCRIPTION 424 "The NAS-Identifier of the RADIUS authentication client 425 referred to in this table entry. This is not 426 necessarily the same as sysName in MIB II." 427 ::= { radiusAuthClientEntry 3 } 429 -- Server Counters 431 -- 432 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 433 -- 434 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 435 -- UnknownTypes - PacketsDropped - Responses = Pending 436 -- 437 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 438 -- UnknownTypes - PacketsDropped = entries logged 440 radiusAuthServAccessRequests OBJECT-TYPE 441 SYNTAX Counter32 442 MAX-ACCESS read-only 443 STATUS deprecated 444 DESCRIPTION 445 "The number of packets received on the authentication 446 port from this client." 447 ::= { radiusAuthClientEntry 4 } 449 radiusAuthServDupAccessRequests OBJECT-TYPE 450 SYNTAX Counter32 451 MAX-ACCESS read-only 452 STATUS deprecated 453 DESCRIPTION 454 "The number of duplicate RADIUS Access-Request 455 packets received from this client." 456 ::= { radiusAuthClientEntry 5 } 458 radiusAuthServAccessAccepts OBJECT-TYPE 459 SYNTAX Counter32 460 MAX-ACCESS read-only 461 STATUS deprecated 462 DESCRIPTION 463 "The number of RADIUS Access-Accept packets 464 sent to this client." 465 ::= { radiusAuthClientEntry 6 } 467 radiusAuthServAccessRejects OBJECT-TYPE 468 SYNTAX Counter32 469 MAX-ACCESS read-only 470 STATUS deprecated 471 DESCRIPTION 472 "The number of RADIUS Access-Reject packets 473 sent to this client." 474 ::= { radiusAuthClientEntry 7 } 476 radiusAuthServAccessChallenges OBJECT-TYPE 477 SYNTAX Counter32 478 MAX-ACCESS read-only 479 STATUS deprecated 480 DESCRIPTION 481 "The number of RADIUS Access-Challenge packets 482 sent to this client." 483 ::= { radiusAuthClientEntry 8 } 485 radiusAuthServMalformedAccessRequests OBJECT-TYPE 486 SYNTAX Counter32 487 MAX-ACCESS read-only 488 STATUS deprecated 489 DESCRIPTION 490 "The number of malformed RADIUS Access-Request 491 packets received from this client. 492 Bad authenticators and unknown types are not included 493 as malformed Access-Requests." 494 ::= { radiusAuthClientEntry 9 } 496 radiusAuthServBadAuthenticators OBJECT-TYPE 497 SYNTAX Counter32 498 MAX-ACCESS read-only 499 STATUS deprecated 500 DESCRIPTION 501 "The number of RADIUS Authentication-Request packets 502 which contained invalid Message Authenticator 503 attributes received from this client." 504 ::= { radiusAuthClientEntry 10 } 506 radiusAuthServPacketsDropped OBJECT-TYPE 507 SYNTAX Counter32 508 MAX-ACCESS read-only 509 STATUS deprecated 510 DESCRIPTION 511 "The number of incoming packets from this 512 client silently discarded for some reason other 513 than malformed, bad authenticators or 514 unknown types." 515 ::= { radiusAuthClientEntry 11 } 517 radiusAuthServUnknownTypes OBJECT-TYPE 518 SYNTAX Counter32 519 MAX-ACCESS read-only 520 STATUS deprecated 521 DESCRIPTION 522 "The number of RADIUS packets of unknown type which 523 were received from this client." 524 ::= { radiusAuthClientEntry 12 } 526 -- new table 528 radiusAuthClientExtTable OBJECT-TYPE 529 SYNTAX SEQUENCE OF RadiusAuthClientExtEntry 530 MAX-ACCESS not-accessible 531 STATUS current 532 DESCRIPTION 533 "The (conceptual) table listing the RADIUS 534 authentication clients with which the server shares 535 a secret." 536 ::= { radiusAuthServerExtMIBObjects 1 } 538 radiusAuthClientExtEntry OBJECT-TYPE 539 SYNTAX RadiusAuthClientExtEntry 540 MAX-ACCESS not-accessible 541 STATUS current 542 DESCRIPTION 543 "An entry (conceptual row) representing a RADIUS 544 authentication client with which the server shares a 545 secret." 546 INDEX { radiusAuthClientExtIndex } 547 ::= { radiusAuthClientExtTable 1 } 549 RadiusAuthClientExtEntry ::= SEQUENCE { 550 radiusAuthClientExtIndex Integer32, 551 radiusAuthClientInetAddressType InetAddressType, 552 radiusAuthClientInetAddress InetAddress, 553 radiusAuthClientExtID SnmpAdminString, 554 radiusAuthServExtAccessRequests Counter32, 555 radiusAuthServExtDupAccessRequests Counter32, 556 radiusAuthServExtAccessAccepts Counter32, 557 radiusAuthServExtAccessRejects Counter32, 558 radiusAuthServExtAccessChallenges Counter32, 559 radiusAuthServExtMalformedAccessRequests Counter32, 560 radiusAuthServExtBadAuthenticators Counter32, 561 radiusAuthServExtPacketsDropped Counter32, 562 radiusAuthServExtUnknownTypes Counter32 563 } 565 radiusAuthClientExtIndex OBJECT-TYPE 566 SYNTAX Integer32 (1..2147483647) 567 MAX-ACCESS not-accessible 568 STATUS current 569 DESCRIPTION 570 "A number uniquely identifying each RADIUS 571 authentication client with which this server 572 communicates." 573 ::= { radiusAuthClientExtEntry 1 } 575 radiusAuthClientInetAddressType OBJECT-TYPE 576 SYNTAX InetAddressType 577 MAX-ACCESS read-only 578 STATUS current 579 DESCRIPTION 580 "The type of address format used for the 581 radiusAuthClientInetAddress object." 582 ::= { radiusAuthClientExtEntry 2 } 584 radiusAuthClientInetAddress OBJECT-TYPE 585 SYNTAX InetAddress 586 MAX-ACCESS read-only 587 STATUS current 588 DESCRIPTION 589 "The IP address of the RADIUS authentication 590 client referred to in this table entry, using 591 the version neutral IP adddess format." 592 ::= { radiusAuthClientExtEntry 3 } 594 radiusAuthClientExtID OBJECT-TYPE 595 SYNTAX SnmpAdminString 596 MAX-ACCESS read-only 597 STATUS current 598 DESCRIPTION 599 "The NAS-Identifier of the RADIUS authentication client 600 referred to in this table entry. This is not 601 necessarily the same as sysName in MIB II." 602 ::= { radiusAuthClientExtEntry 4 } 604 -- Server Counters 606 -- 607 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 608 -- 609 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 610 -- UnknownTypes - PacketsDropped - Responses = Pending 611 -- 612 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 613 -- UnknownTypes - PacketsDropped = entries logged 615 radiusAuthServExtAccessRequests OBJECT-TYPE 616 SYNTAX Counter32 617 MAX-ACCESS read-only 618 STATUS current 619 DESCRIPTION 620 "The number of packets received on the authentication 621 port from this client." 622 ::= { radiusAuthClientExtEntry 5 } 624 radiusAuthServExtDupAccessRequests OBJECT-TYPE 625 SYNTAX Counter32 626 MAX-ACCESS read-only 627 STATUS current 628 DESCRIPTION 629 "The number of duplicate RADIUS Access-Request 630 packets received from this client." 631 ::= { radiusAuthClientExtEntry 6 } 633 radiusAuthServExtAccessAccepts OBJECT-TYPE 634 SYNTAX Counter32 635 MAX-ACCESS read-only 636 STATUS current 637 DESCRIPTION 638 "The number of RADIUS Access-Accept packets 639 sent to this client." 640 ::= { radiusAuthClientExtEntry 7 } 642 radiusAuthServExtAccessRejects OBJECT-TYPE 643 SYNTAX Counter32 644 MAX-ACCESS read-only 645 STATUS current 646 DESCRIPTION 647 "The number of RADIUS Access-Reject packets 648 sent to this client." 649 ::= { radiusAuthClientExtEntry 8 } 651 radiusAuthServExtAccessChallenges OBJECT-TYPE 652 SYNTAX Counter32 653 MAX-ACCESS read-only 654 STATUS current 655 DESCRIPTION 656 "The number of RADIUS Access-Challenge packets 657 sent to this client." 658 ::= { radiusAuthClientExtEntry 9 } 660 radiusAuthServExtMalformedAccessRequests OBJECT-TYPE 661 SYNTAX Counter32 662 MAX-ACCESS read-only 663 STATUS current 664 DESCRIPTION 665 "The number of malformed RADIUS Access-Request 666 packets received from this client. 667 Bad authenticators and unknown types are not included 668 as malformed Access-Requests." 669 ::= { radiusAuthClientExtEntry 10 } 671 radiusAuthServExtBadAuthenticators OBJECT-TYPE 672 SYNTAX Counter32 673 MAX-ACCESS read-only 674 STATUS current 675 DESCRIPTION 676 "The number of RADIUS Authentication-Request packets 677 which contained invalid Message Authenticator 678 attributes received from this client." 679 ::= { radiusAuthClientExtEntry 11 } 681 radiusAuthServExtPacketsDropped OBJECT-TYPE 682 SYNTAX Counter32 683 MAX-ACCESS read-only 684 STATUS current 685 DESCRIPTION 686 "The number of incoming packets from this 687 client silently discarded for some reason other 688 than malformed, bad authenticators or 689 unknown types." 690 ::= { radiusAuthClientExtEntry 12 } 692 radiusAuthServExtUnknownTypes OBJECT-TYPE 693 SYNTAX Counter32 694 MAX-ACCESS read-only 695 STATUS current 696 DESCRIPTION 697 "The number of RADIUS packets of unknown type which 698 were received from this client." 699 ::= { radiusAuthClientExtEntry 13 } 701 -- conformance information 703 radiusAuthServMIBConformance OBJECT IDENTIFIER 704 ::= { radiusAuthServMIB 2 } 705 radiusAuthServMIBCompliances OBJECT IDENTIFIER 706 ::= { radiusAuthServMIBConformance 1 } 707 radiusAuthServMIBGroups OBJECT IDENTIFIER 708 ::= { radiusAuthServMIBConformance 2 } 710 radiusAuthServExtMIBConformance OBJECT IDENTIFIER 711 ::= { radiusAuthServerExtMIB 2 } 712 radiusAuthServExtMIBCompliances OBJECT IDENTIFIER 713 ::= { radiusAuthServExtMIBConformance 1 } 714 radiusAuthServExtMIBGroups OBJECT IDENTIFIER 715 ::= { radiusAuthServExtMIBConformance 2 } 717 -- compliance statements 719 radiusAuthServMIBCompliance MODULE-COMPLIANCE 720 STATUS deprecated 721 DESCRIPTION 722 "The compliance statement for authentication 723 servers implementing the RADIUS Authentication 724 Server MIB." 725 MODULE -- this module 726 MANDATORY-GROUPS { radiusAuthServMIBGroup } 728 OBJECT radiusAuthServConfigReset 729 WRITE-SYNTAX INTEGER { reset(2) } 730 DESCRIPTION "The only SETable value is 'reset' (2)." 732 ::= { radiusAuthServMIBCompliances 1 } 734 radiusAuthServMIBExtCompliance MODULE-COMPLIANCE 735 STATUS current 736 DESCRIPTION 737 "The compliance statement for authentication 738 servers implementing the RADIUS Authentication 739 Server MIB." 740 MODULE -- this module 741 MANDATORY-GROUPS { radiusAuthServExtMIBGroup } 743 OBJECT radiusAuthServConfigReset 744 WRITE-SYNTAX INTEGER { reset(2) } 745 DESCRIPTION "The only SETable value is 'reset' (2)." 747 ::= { radiusAuthServExtMIBCompliances 1 } 749 -- units of conformance 751 radiusAuthServMIBGroup OBJECT-GROUP 752 OBJECTS {radiusAuthServIdent, 753 radiusAuthServUpTime, 754 radiusAuthServResetTime, 755 radiusAuthServConfigReset, 756 radiusAuthServTotalAccessRequests, 757 radiusAuthServTotalInvalidRequests, 758 radiusAuthServTotalDupAccessRequests, 759 radiusAuthServTotalAccessAccepts, 760 radiusAuthServTotalAccessRejects, 761 radiusAuthServTotalAccessChallenges, 762 radiusAuthServTotalMalformedAccessRequests, 763 radiusAuthServTotalBadAuthenticators, 764 radiusAuthServTotalPacketsDropped, 765 radiusAuthServTotalUnknownTypes, 766 radiusAuthClientAddress, 767 radiusAuthClientID, 768 radiusAuthServAccessRequests, 769 radiusAuthServDupAccessRequests, 770 radiusAuthServAccessAccepts, 771 radiusAuthServAccessRejects, 772 radiusAuthServAccessChallenges, 773 radiusAuthServMalformedAccessRequests, 774 radiusAuthServBadAuthenticators, 775 radiusAuthServPacketsDropped, 776 radiusAuthServUnknownTypes 777 } 778 STATUS deprecated 779 DESCRIPTION 780 "The collection of objects providing management of 781 a RADIUS Authentication Server." 782 ::= { radiusAuthServMIBGroups 1 } 784 radiusAuthServExtMIBGroup OBJECT-GROUP 785 OBJECTS {radiusAuthServIdent, 786 radiusAuthServUpTime, 787 radiusAuthServResetTime, 788 radiusAuthServConfigReset, 789 radiusAuthServTotalAccessRequests, 790 radiusAuthServTotalInvalidRequests, 791 radiusAuthServTotalDupAccessRequests, 792 radiusAuthServTotalAccessAccepts, 793 radiusAuthServTotalAccessRejects, 794 radiusAuthServTotalAccessChallenges, 795 radiusAuthServTotalMalformedAccessRequests, 796 radiusAuthServTotalBadAuthenticators, 797 radiusAuthServTotalPacketsDropped, 798 radiusAuthServTotalUnknownTypes, 799 radiusAuthClientInetAddressType, 800 radiusAuthClientInetAddress, 801 radiusAuthClientExtID, 802 radiusAuthServExtAccessRequests, 803 radiusAuthServExtDupAccessRequests, 804 radiusAuthServExtAccessAccepts, 805 radiusAuthServExtAccessRejects, 806 radiusAuthServExtAccessChallenges, 807 radiusAuthServExtMalformedAccessRequests, 808 radiusAuthServExtBadAuthenticators, 809 radiusAuthServExtPacketsDropped, 810 radiusAuthServExtUnknownTypes 811 } 812 STATUS current 813 DESCRIPTION 814 "The collection of objects providing management of 815 a RADIUS Authentication Server." 817 ::= { radiusAuthServExtMIBGroups 1 } 819 END 821 8. IANA Considerations 823 This document requires IANA assignment of a number in the MIB-2 OID 824 number space. 826 9. Security Considerations 828 There are no management objects defined in this MIB that have a MAX- 829 ACCESS clause of read-write and/or read-create. So, if this MIB is 830 implemented correctly, then there is no risk that an intruder can 831 alter or create any management objects of this MIB via direct SNMP 832 SET operations. 834 There are a number of managed objects in this MIB that may contain 835 sensitive information. These are: 837 radiusAuthClientIPAddress This can be used to determine the address 838 of the RADIUS authentication client with which the server is 839 communicating. This information could be useful in mounting an 840 attack on the authentication client. 841 radiusAuthClientInetAddress This can be used to determine the address 842 of the RADIUS authentication client with which the server is 843 communicating. This information could be useful in mounting an 844 attack on the authentication client. 846 It is thus important to control even GET access to these objects and 847 possibly to even encrypt the values of these object when sending them 848 over the network via SNMP. Not all versions of SNMP provide features 849 for such a secure environment. 851 SNMP versions prior to SNMPv3 do not provide a secure environment. 852 Even if the network itself is secure (for example by using IPSec), 853 there is no control as to who on the secure network is allowed to 854 access and GET/SET (read/change/create/delete) the objects in this 855 MIB. 857 It is recommended that the implementers consider the security 858 features as provided by the SNMPv3 framework. Specifically, the use 859 of the User-based Security Model [RFC2574] and the View-based Access 860 Control Model [RFC2575] is recommended. Using these security 861 features, customer/users can give access to the objects only to those 862 principals (users) that have legitimate rights to GET or SET (change/ 863 create/delete) them. 865 10. References 867 10.1. Normative References 869 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 870 Requirement Levels", BCP 14, RFC 2119, March 1997. 872 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 873 (USM) for version 3 of the Simple Network Management 874 Protocol (SNMPv3)", RFC 2574, April 1999. 876 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 877 Access Control Model (VACM) for the Simple Network 878 Management Protocol (SNMP)", RFC 2575, April 1999. 880 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 881 Schoenwaelder, Ed., "Structure of Management Information 882 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 884 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 885 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 886 STD 58, RFC 2579, April 1999. 888 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 889 "Conformance Statements for SMIv2", STD 58, RFC 2580, 890 April 1999. 892 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 893 "Introduction and Applicability Statements for Internet- 894 Standard Management Framework", RFC 3410, December 2002. 896 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 897 Simple Network Management Protocol (SNMP)", STD 62, 898 RFC 3418, December 2002. 900 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 901 Schoenwaelder, "Textual Conventions for Internet Network 902 Addresses", RFC 4001, February 2005. 904 10.2. Informative References 906 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 907 RFC 2619, June 1999. 909 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 910 "Remote Authentication Dial In User Service (RADIUS)", 911 RFC 2865, June 2000. 913 Appendix A. Acknowledgments 915 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 917 Many thanks to all reviewers, especially to David Harrington, Dan 918 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 920 Author's Address 922 David B. Nelson 923 Enterasys Networks 924 50 Minuteman Road 925 Andover, MA 01810 926 USA 928 Email: dnelson@enterasys.com 930 Intellectual Property Statement 932 The IETF takes no position regarding the validity or scope of any 933 Intellectual Property Rights or other rights that might be claimed to 934 pertain to the implementation or use of the technology described in 935 this document or the extent to which any license under such rights 936 might or might not be available; nor does it represent that it has 937 made any independent effort to identify any such rights. Information 938 on the procedures with respect to rights in RFC documents can be 939 found in BCP 78 and BCP 79. 941 Copies of IPR disclosures made to the IETF Secretariat and any 942 assurances of licenses to be made available, or the result of an 943 attempt made to obtain a general license or permission for the use of 944 such proprietary rights by implementers or users of this 945 specification can be obtained from the IETF on-line IPR repository at 946 http://www.ietf.org/ipr. 948 The IETF invites any interested party to bring to its attention any 949 copyrights, patents or patent applications, or other proprietary 950 rights that may cover technology that may be required to implement 951 this standard. Please address the information to the IETF at 952 ietf-ipr@ietf.org. 954 Disclaimer of Validity 956 This document and the information contained herein are provided on an 957 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 958 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 959 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 960 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 961 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 962 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 964 Copyright Statement 966 Copyright (C) The Internet Society (2005). This document is subject 967 to the rights, licenses and restrictions contained in BCP 78, and 968 except as set forth therein, the authors retain all their rights. 970 Acknowledgment 972 Funding for the RFC Editor function is currently provided by the 973 Internet Society.