idnits 2.17.1 draft-ietf-radext-rfc2619bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 959. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 936. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 943. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 949. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 18, 2005) is 6764 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 111, but not defined == Unused Reference: 'RFC3418' is defined on line 893, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2619 (if approved) October 18, 2005 5 Expires: April 21, 2006 7 RADIUS Auth Server MIB (IPv6) 8 draft-ietf-radext-rfc2619bis-01.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on April 21, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This memo obsoletes RFC 2619 by deprecating the MIB table containing 42 IPv4-only address formats and defining a new table to add support for 43 version neutral IP address formats. The remaining MIB objects from 44 RFC 2619 are carried forward into this document. 46 Table of Contents 48 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 3. The Internet-Standard Management Framework . . . . . . . . . . 3 51 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 52 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 53 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 54 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 56 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 57 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 58 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 59 10.2. Informative References . . . . . . . . . . . . . . . . . 20 60 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 62 Intellectual Property and Copyright Statements . . . . . . . . . . 23 64 1. Terminology 66 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 67 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 68 document are to be interpreted as described in RFC 2119 [RFC2119]. 70 This document uses terminology from RFC 2865 [RFC2865]. 72 2. Introduction 74 This memo defines a portion of the Management Information Base (MIB) 75 for use with network management protocols in the Internet community. 76 The objects defined within this memo relate to the Remote 77 Authentication Dial-In User Service (RADIUS) Authentication Server as 78 defined in RFC 2865 [RFC2865]. 80 3. The Internet-Standard Management Framework 82 For a detailed overview of the documents that describe the current 83 Internet-Standard Management Framework, please refer to section 7 of 84 RFC 3410 [RFC3410]. 86 Managed objects are accessed via a virtual information store, termed 87 the Management Information Base or MIB. MIB objects are generally 88 accessed through the Simple Network Management Protocol (SNMP). 89 Objects in the MIB are defined using the mechanisms defined in the 90 Structure of Management Information (SMI). This memo specifies a MIB 91 module that is compliant to the SMIv2, which is described in STD 58, 92 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 93 [RFC2580]. 95 4. Scope of Changes 97 This document obsoletes RFC 2619 [RFC2619], RADIUS Authentication 98 Server MIB, by deprecating the radiusAuthClientTable table and adding 99 a new table, radiusAuthClientExtTable, containing 100 radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The 101 purpose of these added MIB objects is to support version neutral IP 102 addressing formats. The existing table containing 103 radiusAuthClientAddress is deprecated. The remaining MIB objects 104 from RFC 2619 are carried forward into this document. 106 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 107 version neutral IP addresses, contains the following recommendation. 109 'In particular, when revising a MIB module that contains IPv4 110 specific tables, it is suggested to define new tables using the 111 textual conventions defined in this memo [RFC 4001] that support all 112 versions of IP. The status of the new tables SHOULD be "current", 113 whereas the status of the old IP version specific tables SHOULD be 114 changed to "deprecated". The other approach, of having multiple 115 similar tables for different IP versions, is strongly discouraged.' 117 5. Structure of the MIB Module 119 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 120 distinguishes between the client function and the server function. 121 In RADIUS authentication, clients send Access-Requests, and servers 122 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 123 Typically NAS devices implement the client function, and thus would 124 be expected to implement the RADIUS authentication client MIB, while 125 RADIUS authentication servers implement the server function, and thus 126 would be expected to implement the RADIUS authentication server MIB. 128 However, it is possible for a RADIUS authentication entity to perform 129 both client and server functions. For example, a RADIUS proxy may 130 act as a server to one or more RADIUS authentication clients, while 131 simultaneously acting as an authentication client to one or more 132 authentication servers. In such situations, it is expected that 133 RADIUS entities combining client and server functionality will 134 support both the client and server MIBs. 136 This MIB module contains fourteen scalars as well as a single table, 137 the RADIUS Authentication Client Table, which contains one row for 138 each RADIUS authentication client with which the server shares a 139 secret. Each entry in the RADIUS Authentication Client Table 140 includes thirteen columns presenting a view of the activity of the 141 RADIUS authentication server. 143 6. Deprecated Objects 145 The deprecated table in this MIB is carried forward from RFC 2619 146 [RFC2619]. There are two conditions under which it MAY be desirable 147 for managed entities to continue to support the deprecated table: 149 1. The managed entity only supports IPv4 address formats. 150 2. The managed entity supports both IPv4 and IPv6 address formats, 151 and the deprecated table is supported for backwards compatibility 152 with older management stations. This option SHOULD only be used 153 when the IP addresses in the new table are in IPv4 format and can 154 accurately be represented in both the new table and the 155 deprecated table. 157 Managed entities SHOULD NOT instantiate the deprecated table 158 containing IPv4-only address objects when the RADIUS server address 159 represented in the table row is not an IPv4 address. Managed 160 entities SHOULD NOT return inaccurate values of IP address or SNMP 161 object access errors for IPv4-only address objects in otherwise 162 populated tables. 164 7. Definitions 166 4. Definitions 168 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 170 IMPORTS 171 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 172 Counter32, Integer32, 173 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 174 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 175 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 176 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 178 radiusAuthServMIB MODULE-IDENTITY 179 LAST-UPDATED "200510170000Z" -- 17 Oct 2005 180 ORGANIZATION "IETF RADIUS Extensions Working Group." 181 CONTACT-INFO 182 " Bernard Aboba 183 Microsoft 184 One Microsoft Way 185 Redmond, WA 98052 186 US 187 Phone: +1 425 936 6605 188 EMail: bernarda@microsoft.com" 189 DESCRIPTION 190 "The MIB module for entities implementing the server 191 side of the Remote Authentication Dial-In User 192 Service (RADIUS) authentication protocol." 193 REVISION "200510170000Z" -- 17 Oct 2005 194 DESCRIPTION "Revised version as published in RFC xxxx. 195 This version obsoletes that of RFC 2619 by deprecating the 196 MIB table containing IPv4-only address formats and defining 197 a new table to add support for version neutral IP address 198 formats. The remaining MIB objects from RFC 2619 are carried 199 forward into this version." 200 REVISION "9906110000Z" -- 11 Jun 1999 201 DESCRIPTION "Initial version as published in RFC 2619" 203 -- RFC Editor: replace xxxx with actual RFC number at the time of 204 -- publication, and remove this note. 206 ::= { radiusAuthentication 1 } 208 radiusMIB OBJECT-IDENTITY 209 STATUS current 210 DESCRIPTION 211 "The OID assigned to RADIUS MIB work by the IANA." 212 ::= { mib-2 67 } 214 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 216 radiusAuthServMIBObjects OBJECT IDENTIFIER 217 ::= { radiusAuthServMIB 1 } 219 radiusAuthServ OBJECT IDENTIFIER 220 ::= { radiusAuthServMIBObjects 1 } 222 radiusAuthServIdent OBJECT-TYPE 223 SYNTAX SnmpAdminString 224 MAX-ACCESS read-only 225 STATUS current 226 DESCRIPTION 227 "The implementation identification string for the 228 RADIUS authentication server software in use on the 229 system, for example; `FNS-2.1'" 230 ::= {radiusAuthServ 1} 232 radiusAuthServUpTime OBJECT-TYPE 233 SYNTAX TimeTicks 234 MAX-ACCESS read-only 235 STATUS current 236 DESCRIPTION 237 "If the server has a persistent state (e.g., a 238 process), this value will be the time elapsed (in 239 hundredths of a second) since the server process 240 was started. For software without persistent state, 241 this value will be zero." 242 ::= {radiusAuthServ 2} 244 radiusAuthServResetTime OBJECT-TYPE 245 SYNTAX TimeTicks 246 MAX-ACCESS read-only 247 STATUS current 248 DESCRIPTION 249 "If the server has a persistent state (e.g., a process) 250 and supports a `reset' operation (e.g., can be told to 251 re-read configuration files), this value will be the 252 time elapsed (in hundredths of a second) since the 253 server was `reset.' For software that does not 254 have persistence or does not support a `reset' 255 operation, this value will be zero." 256 ::= {radiusAuthServ 3} 258 radiusAuthServConfigReset OBJECT-TYPE 259 SYNTAX INTEGER { other(1), 260 reset(2), 261 initializing(3), 262 running(4)} 263 MAX-ACCESS read-write 264 STATUS current 265 DESCRIPTION 266 "Status/action object to reinitialize any persistent 267 server state. When set to reset(2), any persistent 268 server state (such as a process) is reinitialized as 269 if the server had just been started. This value will 270 never be returned by a read operation. When read, 271 one of the following values will be returned: 272 other(1) - server in some unknown state; 273 initializing(3) - server (re)initializing; 274 running(4) - server currently running." 275 ::= {radiusAuthServ 4} 277 radiusAuthServTotalAccessRequests OBJECT-TYPE 278 SYNTAX Counter32 279 MAX-ACCESS read-only 280 STATUS current 281 DESCRIPTION 282 "The number of packets received on the 283 authentication port." 284 ::= { radiusAuthServ 5} 286 radiusAuthServTotalInvalidRequests OBJECT-TYPE 287 SYNTAX Counter32 288 MAX-ACCESS read-only 289 STATUS current 290 DESCRIPTION 291 "The number of RADIUS Access-Request packets 292 received from unknown addresses." 293 ::= { radiusAuthServ 6 } 295 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 296 SYNTAX Counter32 297 MAX-ACCESS read-only 298 STATUS current 299 DESCRIPTION 300 "The number of duplicate RADIUS Access-Request 301 packets received." 302 ::= { radiusAuthServ 7 } 304 radiusAuthServTotalAccessAccepts OBJECT-TYPE 305 SYNTAX Counter32 306 MAX-ACCESS read-only 307 STATUS current 308 DESCRIPTION 309 "The number of RADIUS Access-Accept packets sent." 310 ::= { radiusAuthServ 8 } 312 radiusAuthServTotalAccessRejects OBJECT-TYPE 313 SYNTAX Counter32 314 MAX-ACCESS read-only 315 STATUS current 316 DESCRIPTION 317 "The number of RADIUS Access-Reject packets sent." 318 ::= { radiusAuthServ 9 } 320 radiusAuthServTotalAccessChallenges OBJECT-TYPE 321 SYNTAX Counter32 322 MAX-ACCESS read-only 323 STATUS current 324 DESCRIPTION 325 "The number of RADIUS Access-Challenge packets sent." 326 ::= { radiusAuthServ 10 } 328 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 329 SYNTAX Counter32 330 MAX-ACCESS read-only 331 STATUS current 332 DESCRIPTION 333 "The number of malformed RADIUS Access-Request 334 packets received. Bad authenticators 335 and unknown types are not included as 336 malformed Access-Requests." 337 ::= { radiusAuthServ 11 } 339 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 340 SYNTAX Counter32 341 MAX-ACCESS read-only 342 STATUS current 343 DESCRIPTION 344 "The number of RADIUS Authentication-Request packets 345 which contained invalid Message Authenticator 346 attributes received." 348 ::= { radiusAuthServ 12 } 350 radiusAuthServTotalPacketsDropped OBJECT-TYPE 351 SYNTAX Counter32 352 MAX-ACCESS read-only 353 STATUS current 354 DESCRIPTION 355 "The number of incoming packets 356 silently discarded for some reason other 357 than malformed, bad authenticators or 358 unknown types." 359 ::= { radiusAuthServ 13 } 361 radiusAuthServTotalUnknownTypes OBJECT-TYPE 362 SYNTAX Counter32 363 MAX-ACCESS read-only 364 STATUS current 365 DESCRIPTION 366 "The number of RADIUS packets of unknown type which 367 were received." 368 ::= { radiusAuthServ 14 } 370 radiusAuthClientTable OBJECT-TYPE 371 SYNTAX SEQUENCE OF RadiusAuthClientEntry 372 MAX-ACCESS not-accessible 373 STATUS deprecated 374 DESCRIPTION 375 "The (conceptual) table listing the RADIUS 376 authentication clients with which the server shares 377 a secret." 378 ::= { radiusAuthServ 15 } 380 radiusAuthClientEntry OBJECT-TYPE 381 SYNTAX RadiusAuthClientEntry 382 MAX-ACCESS not-accessible 383 STATUS deprecated 384 DESCRIPTION 385 "An entry (conceptual row) representing a RADIUS 386 authentication client with which the server shares a 387 secret." 388 INDEX { radiusAuthClientIndex } 389 ::= { radiusAuthClientTable 1 } 391 RadiusAuthClientEntry ::= SEQUENCE { 392 radiusAuthClientIndex Integer32, 393 radiusAuthClientAddress IpAddress, 394 radiusAuthClientID SnmpAdminString, 395 radiusAuthServAccessRequests Counter32, 396 radiusAuthServDupAccessRequests Counter32, 397 radiusAuthServAccessAccepts Counter32, 398 radiusAuthServAccessRejects Counter32, 399 radiusAuthServAccessChallenges Counter32, 400 radiusAuthServMalformedAccessRequests Counter32, 401 radiusAuthServBadAuthenticators Counter32, 402 radiusAuthServPacketsDropped Counter32, 403 radiusAuthServUnknownTypes Counter32 404 } 406 radiusAuthClientIndex OBJECT-TYPE 407 SYNTAX Integer32 (1..2147483647) 408 MAX-ACCESS not-accessible 409 STATUS deprecated 410 DESCRIPTION 411 "A number uniquely identifying each RADIUS 412 authentication client with which this server 413 communicates." 414 ::= { radiusAuthClientEntry 1 } 416 radiusAuthClientAddress OBJECT-TYPE 417 SYNTAX IpAddress 418 MAX-ACCESS read-only 419 STATUS deprecated 420 DESCRIPTION 421 "The NAS-IP-Address of the RADIUS authentication client 422 referred to in this table entry." 423 ::= { radiusAuthClientEntry 2 } 425 radiusAuthClientID OBJECT-TYPE 426 SYNTAX SnmpAdminString 427 MAX-ACCESS read-only 428 STATUS deprecated 429 DESCRIPTION 430 "The NAS-Identifier of the RADIUS authentication client 431 referred to in this table entry. This is not 432 necessarily the same as sysName in MIB II." 433 ::= { radiusAuthClientEntry 3 } 435 -- Server Counters 437 -- 438 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 439 -- 440 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 441 -- UnknownTypes - PacketsDropped - Responses = Pending 442 -- 443 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 444 -- UnknownTypes - PacketsDropped = entries logged 446 radiusAuthServAccessRequests OBJECT-TYPE 447 SYNTAX Counter32 448 MAX-ACCESS read-only 449 STATUS deprecated 450 DESCRIPTION 451 "The number of packets received on the authentication 452 port from this client." 453 ::= { radiusAuthClientEntry 4 } 455 radiusAuthServDupAccessRequests OBJECT-TYPE 456 SYNTAX Counter32 457 MAX-ACCESS read-only 458 STATUS deprecated 459 DESCRIPTION 460 "The number of duplicate RADIUS Access-Request 461 packets received from this client." 462 ::= { radiusAuthClientEntry 5 } 464 radiusAuthServAccessAccepts OBJECT-TYPE 465 SYNTAX Counter32 466 MAX-ACCESS read-only 467 STATUS deprecated 468 DESCRIPTION 469 "The number of RADIUS Access-Accept packets 470 sent to this client." 471 ::= { radiusAuthClientEntry 6 } 473 radiusAuthServAccessRejects OBJECT-TYPE 474 SYNTAX Counter32 475 MAX-ACCESS read-only 476 STATUS deprecated 477 DESCRIPTION 478 "The number of RADIUS Access-Reject packets 479 sent to this client." 480 ::= { radiusAuthClientEntry 7 } 482 radiusAuthServAccessChallenges OBJECT-TYPE 483 SYNTAX Counter32 484 MAX-ACCESS read-only 485 STATUS deprecated 486 DESCRIPTION 487 "The number of RADIUS Access-Challenge packets 488 sent to this client." 489 ::= { radiusAuthClientEntry 8 } 491 radiusAuthServMalformedAccessRequests OBJECT-TYPE 492 SYNTAX Counter32 493 MAX-ACCESS read-only 494 STATUS deprecated 495 DESCRIPTION 496 "The number of malformed RADIUS Access-Request 497 packets received from this client. 498 Bad authenticators and unknown types are not included 499 as malformed Access-Requests." 500 ::= { radiusAuthClientEntry 9 } 502 radiusAuthServBadAuthenticators OBJECT-TYPE 503 SYNTAX Counter32 504 MAX-ACCESS read-only 505 STATUS deprecated 506 DESCRIPTION 507 "The number of RADIUS Authentication-Request packets 508 which contained invalid Message Authenticator 509 attributes received from this client." 510 ::= { radiusAuthClientEntry 10 } 512 radiusAuthServPacketsDropped OBJECT-TYPE 513 SYNTAX Counter32 514 MAX-ACCESS read-only 515 STATUS deprecated 516 DESCRIPTION 517 "The number of incoming packets from this 518 client silently discarded for some reason other 519 than malformed, bad authenticators or 520 unknown types." 521 ::= { radiusAuthClientEntry 11 } 523 radiusAuthServUnknownTypes OBJECT-TYPE 524 SYNTAX Counter32 525 MAX-ACCESS read-only 526 STATUS deprecated 527 DESCRIPTION 528 "The number of RADIUS packets of unknown type which 529 were received from this client." 530 ::= { radiusAuthClientEntry 12 } 532 -- New MIB objects added in this revision 534 radiusAuthClientExtTable OBJECT-TYPE 535 SYNTAX SEQUENCE OF RadiusAuthClientExtEntry 536 MAX-ACCESS not-accessible 537 STATUS current 538 DESCRIPTION 539 "The (conceptual) table listing the RADIUS 540 authentication clients with which the server shares 541 a secret." 542 ::= { radiusAuthServ 16 } 544 radiusAuthClientExtEntry OBJECT-TYPE 545 SYNTAX RadiusAuthClientExtEntry 546 MAX-ACCESS not-accessible 547 STATUS current 548 DESCRIPTION 549 "An entry (conceptual row) representing a RADIUS 550 authentication client with which the server shares a 551 secret." 552 INDEX { radiusAuthClientExtIndex } 553 ::= { radiusAuthClientExtTable 1 } 555 RadiusAuthClientExtEntry ::= SEQUENCE { 556 radiusAuthClientExtIndex Integer32, 557 radiusAuthClientInetAddressType InetAddressType, 558 radiusAuthClientInetAddress InetAddress, 559 radiusAuthClientExtID SnmpAdminString, 560 radiusAuthServExtAccessRequests Counter32, 561 radiusAuthServExtDupAccessRequests Counter32, 562 radiusAuthServExtAccessAccepts Counter32, 563 radiusAuthServExtAccessRejects Counter32, 564 radiusAuthServExtAccessChallenges Counter32, 565 radiusAuthServExtMalformedAccessRequests Counter32, 566 radiusAuthServExtBadAuthenticators Counter32, 567 radiusAuthServExtPacketsDropped Counter32, 568 radiusAuthServExtUnknownTypes Counter32 569 } 571 radiusAuthClientExtIndex OBJECT-TYPE 572 SYNTAX Integer32 (1..2147483647) 573 MAX-ACCESS not-accessible 574 STATUS current 575 DESCRIPTION 576 "A number uniquely identifying each RADIUS 577 authentication client with which this server 578 communicates." 579 ::= { radiusAuthClientExtEntry 1 } 581 radiusAuthClientInetAddressType OBJECT-TYPE 582 SYNTAX InetAddressType 583 MAX-ACCESS read-only 584 STATUS current 585 DESCRIPTION 586 "The type of address format used for the 587 radiusAuthClientInetAddress object." 588 ::= { radiusAuthClientExtEntry 2 } 590 radiusAuthClientInetAddress OBJECT-TYPE 591 SYNTAX InetAddress 592 MAX-ACCESS read-only 593 STATUS current 594 DESCRIPTION 595 "The IP address of the RADIUS authentication 596 client referred to in this table entry, using 597 the version neutral IP adddess format." 598 ::= { radiusAuthClientExtEntry 3 } 600 radiusAuthClientExtID OBJECT-TYPE 601 SYNTAX SnmpAdminString 602 MAX-ACCESS read-only 603 STATUS current 604 DESCRIPTION 605 "The NAS-Identifier of the RADIUS authentication client 606 referred to in this table entry. This is not 607 necessarily the same as sysName in MIB II." 608 ::= { radiusAuthClientExtEntry 4 } 610 -- Server Counters 612 -- 613 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 614 -- 615 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 616 -- UnknownTypes - PacketsDropped - Responses = Pending 617 -- 618 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 619 -- UnknownTypes - PacketsDropped = entries logged 621 radiusAuthServExtAccessRequests OBJECT-TYPE 622 SYNTAX Counter32 623 MAX-ACCESS read-only 624 STATUS current 625 DESCRIPTION 626 "The number of packets received on the authentication 627 port from this client." 628 ::= { radiusAuthClientExtEntry 5 } 630 radiusAuthServExtDupAccessRequests OBJECT-TYPE 631 SYNTAX Counter32 632 MAX-ACCESS read-only 633 STATUS current 634 DESCRIPTION 635 "The number of duplicate RADIUS Access-Request 636 packets received from this client." 637 ::= { radiusAuthClientExtEntry 6 } 639 radiusAuthServExtAccessAccepts OBJECT-TYPE 640 SYNTAX Counter32 641 MAX-ACCESS read-only 642 STATUS current 643 DESCRIPTION 644 "The number of RADIUS Access-Accept packets 645 sent to this client." 646 ::= { radiusAuthClientExtEntry 7 } 648 radiusAuthServExtAccessRejects OBJECT-TYPE 649 SYNTAX Counter32 650 MAX-ACCESS read-only 651 STATUS current 652 DESCRIPTION 653 "The number of RADIUS Access-Reject packets 654 sent to this client." 655 ::= { radiusAuthClientExtEntry 8 } 657 radiusAuthServExtAccessChallenges OBJECT-TYPE 658 SYNTAX Counter32 659 MAX-ACCESS read-only 660 STATUS current 661 DESCRIPTION 662 "The number of RADIUS Access-Challenge packets 663 sent to this client." 664 ::= { radiusAuthClientExtEntry 9 } 666 radiusAuthServExtMalformedAccessRequests OBJECT-TYPE 667 SYNTAX Counter32 668 MAX-ACCESS read-only 669 STATUS current 670 DESCRIPTION 671 "The number of malformed RADIUS Access-Request 672 packets received from this client. 673 Bad authenticators and unknown types are not included 674 as malformed Access-Requests." 675 ::= { radiusAuthClientExtEntry 10 } 677 radiusAuthServExtBadAuthenticators OBJECT-TYPE 678 SYNTAX Counter32 679 MAX-ACCESS read-only 680 STATUS current 681 DESCRIPTION 682 "The number of RADIUS Authentication-Request packets 683 which contained invalid Message Authenticator 684 attributes received from this client." 685 ::= { radiusAuthClientExtEntry 11 } 687 radiusAuthServExtPacketsDropped OBJECT-TYPE 688 SYNTAX Counter32 689 MAX-ACCESS read-only 690 STATUS current 691 DESCRIPTION 692 "The number of incoming packets from this 693 client silently discarded for some reason other 694 than malformed, bad authenticators or 695 unknown types." 696 ::= { radiusAuthClientExtEntry 12 } 698 radiusAuthServExtUnknownTypes OBJECT-TYPE 699 SYNTAX Counter32 700 MAX-ACCESS read-only 701 STATUS current 702 DESCRIPTION 703 "The number of RADIUS packets of unknown type which 704 were received from this client." 705 ::= { radiusAuthClientExtEntry 13 } 707 -- conformance information 709 radiusAuthServMIBConformance OBJECT IDENTIFIER 710 ::= { radiusAuthServMIB 2 } 712 radiusAuthServMIBCompliances OBJECT IDENTIFIER 713 ::= { radiusAuthServMIBConformance 1 } 715 radiusAuthServMIBGroups OBJECT IDENTIFIER 716 ::= { radiusAuthServMIBConformance 2 } 718 -- compliance statements 720 radiusAuthServMIBCompliance MODULE-COMPLIANCE 721 STATUS deprecated 722 DESCRIPTION 723 "The compliance statement for authentication 724 servers implementing the RADIUS Authentication 725 Server MIB." 726 MODULE -- this module 727 MANDATORY-GROUPS { radiusAuthServMIBGroup } 728 OBJECT radiusAuthServConfigReset 729 WRITE-SYNTAX INTEGER { reset(2) } 730 DESCRIPTION "The only SETable value is 'reset' (2)." 732 ::= { radiusAuthServMIBCompliances 1 } 734 radiusAuthServMIBExtCompliance MODULE-COMPLIANCE 735 STATUS current 736 DESCRIPTION 737 "The compliance statement for authentication 738 servers implementing the RADIUS Authentication 739 Server MIB." 740 MODULE -- this module 741 MANDATORY-GROUPS { radiusAuthServExtMIBGroup } 743 OBJECT radiusAuthServConfigReset 744 WRITE-SYNTAX INTEGER { reset(2) } 745 DESCRIPTION "The only SETable value is 'reset' (2)." 747 ::= { radiusAuthServMIBCompliances 2 } 749 -- units of conformance 751 radiusAuthServMIBGroup OBJECT-GROUP 752 OBJECTS {radiusAuthServIdent, 753 radiusAuthServUpTime, 754 radiusAuthServResetTime, 755 radiusAuthServConfigReset, 756 radiusAuthServTotalAccessRequests, 757 radiusAuthServTotalInvalidRequests, 758 radiusAuthServTotalDupAccessRequests, 759 radiusAuthServTotalAccessAccepts, 760 radiusAuthServTotalAccessRejects, 761 radiusAuthServTotalAccessChallenges, 762 radiusAuthServTotalMalformedAccessRequests, 763 radiusAuthServTotalBadAuthenticators, 764 radiusAuthServTotalPacketsDropped, 765 radiusAuthServTotalUnknownTypes, 766 radiusAuthClientAddress, 767 radiusAuthClientID, 768 radiusAuthServAccessRequests, 769 radiusAuthServDupAccessRequests, 770 radiusAuthServAccessAccepts, 771 radiusAuthServAccessRejects, 772 radiusAuthServAccessChallenges, 773 radiusAuthServMalformedAccessRequests, 774 radiusAuthServBadAuthenticators, 775 radiusAuthServPacketsDropped, 776 radiusAuthServUnknownTypes 777 } 778 STATUS deprecated 779 DESCRIPTION 780 "The collection of objects providing management of 781 a RADIUS Authentication Server." 782 ::= { radiusAuthServMIBGroups 1 } 784 radiusAuthServExtMIBGroup OBJECT-GROUP 785 OBJECTS {radiusAuthServIdent, 786 radiusAuthServUpTime, 787 radiusAuthServResetTime, 788 radiusAuthServConfigReset, 789 radiusAuthServTotalAccessRequests, 790 radiusAuthServTotalInvalidRequests, 791 radiusAuthServTotalDupAccessRequests, 792 radiusAuthServTotalAccessAccepts, 793 radiusAuthServTotalAccessRejects, 794 radiusAuthServTotalAccessChallenges, 795 radiusAuthServTotalMalformedAccessRequests, 796 radiusAuthServTotalBadAuthenticators, 797 radiusAuthServTotalPacketsDropped, 798 radiusAuthServTotalUnknownTypes, 799 radiusAuthClientInetAddressType, 800 radiusAuthClientInetAddress, 801 radiusAuthClientExtID, 802 radiusAuthServExtAccessRequests, 803 radiusAuthServExtDupAccessRequests, 804 radiusAuthServExtAccessAccepts, 805 radiusAuthServExtAccessRejects, 806 radiusAuthServExtAccessChallenges, 807 radiusAuthServExtMalformedAccessRequests, 808 radiusAuthServExtBadAuthenticators, 809 radiusAuthServExtPacketsDropped, 810 radiusAuthServExtUnknownTypes 811 } 812 STATUS current 813 DESCRIPTION 814 "The collection of objects providing management of 815 a RADIUS Authentication Server." 816 ::= { radiusAuthServMIBGroups 2 } 818 END 820 8. IANA Considerations 822 This document requires no new IANA assignments. 824 9. Security Considerations 826 There are no management objects defined in this MIB that have a MAX- 827 ACCESS clause of read-write and/or read-create. So, if this MIB is 828 implemented correctly, then there is no risk that an intruder can 829 alter or create any management objects of this MIB via direct SNMP 830 SET operations. 832 There are a number of managed objects in this MIB that may contain 833 sensitive information. These are: 835 radiusAuthClientIPAddress This can be used to determine the address 836 of the RADIUS authentication client with which the server is 837 communicating. This information could be useful in mounting an 838 attack on the authentication client. 839 radiusAuthClientInetAddress This can be used to determine the address 840 of the RADIUS authentication client with which the server is 841 communicating. This information could be useful in mounting an 842 attack on the authentication client. 844 It is thus important to control even GET access to these objects and 845 possibly to even encrypt the values of these object when sending them 846 over the network via SNMP. Not all versions of SNMP provide features 847 for such a secure environment. 849 SNMP versions prior to SNMPv3 do not provide a secure environment. 850 Even if the network itself is secure (for example by using IPSec), 851 there is no control as to who on the secure network is allowed to 852 access and GET/SET (read/change/create/delete) the objects in this 853 MIB. 855 It is recommended that the implementers consider the security 856 features as provided by the SNMPv3 framework. Specifically, the use 857 of the User-based Security Model [RFC2574] and the View-based Access 858 Control Model [RFC2575] is recommended. Using these security 859 features, customer/users can give access to the objects only to those 860 principals (users) that have legitimate rights to GET or SET (change/ 861 create/delete) them. 863 10. References 864 10.1. Normative References 866 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 867 Requirement Levels", BCP 14, RFC 2119, March 1997. 869 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 870 (USM) for version 3 of the Simple Network Management 871 Protocol (SNMPv3)", RFC 2574, April 1999. 873 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 874 Access Control Model (VACM) for the Simple Network 875 Management Protocol (SNMP)", RFC 2575, April 1999. 877 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 878 Schoenwaelder, Ed., "Structure of Management Information 879 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 881 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 882 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 883 STD 58, RFC 2579, April 1999. 885 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 886 "Conformance Statements for SMIv2", STD 58, RFC 2580, 887 April 1999. 889 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 890 "Introduction and Applicability Statements for Internet- 891 Standard Management Framework", RFC 3410, December 2002. 893 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 894 Simple Network Management Protocol (SNMP)", STD 62, 895 RFC 3418, December 2002. 897 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 898 Schoenwaelder, "Textual Conventions for Internet Network 899 Addresses", RFC 4001, February 2005. 901 10.2. Informative References 903 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 904 RFC 2619, June 1999. 906 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 907 "Remote Authentication Dial In User Service (RADIUS)", 908 RFC 2865, June 2000. 910 Appendix A. Acknowledgments 912 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 914 Many thanks to all reviewers, especially to David Harrington, Dan 915 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 917 Author's Address 919 David B. Nelson 920 Enterasys Networks 921 50 Minuteman Road 922 Andover, MA 01810 923 USA 925 Email: dnelson@enterasys.com 927 Intellectual Property Statement 929 The IETF takes no position regarding the validity or scope of any 930 Intellectual Property Rights or other rights that might be claimed to 931 pertain to the implementation or use of the technology described in 932 this document or the extent to which any license under such rights 933 might or might not be available; nor does it represent that it has 934 made any independent effort to identify any such rights. Information 935 on the procedures with respect to rights in RFC documents can be 936 found in BCP 78 and BCP 79. 938 Copies of IPR disclosures made to the IETF Secretariat and any 939 assurances of licenses to be made available, or the result of an 940 attempt made to obtain a general license or permission for the use of 941 such proprietary rights by implementers or users of this 942 specification can be obtained from the IETF on-line IPR repository at 943 http://www.ietf.org/ipr. 945 The IETF invites any interested party to bring to its attention any 946 copyrights, patents or patent applications, or other proprietary 947 rights that may cover technology that may be required to implement 948 this standard. Please address the information to the IETF at 949 ietf-ipr@ietf.org. 951 Disclaimer of Validity 953 This document and the information contained herein are provided on an 954 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 955 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 956 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 957 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 958 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 959 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 961 Copyright Statement 963 Copyright (C) The Internet Society (2005). This document is subject 964 to the rights, licenses and restrictions contained in BCP 78, and 965 except as set forth therein, the authors retain all their rights. 967 Acknowledgment 969 Funding for the RFC Editor function is currently provided by the 970 Internet Society.