idnits 2.17.1 draft-ietf-radext-rfc2619bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1064. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1041. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1048. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1054. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 20, 2006) is 6671 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 131, but not defined == Unused Reference: 'RFC2574' is defined on line 969, but no explicit reference was found in the text == Unused Reference: 'RFC2575' is defined on line 973, but no explicit reference was found in the text == Unused Reference: 'RFC3411' is defined on line 997, but no explicit reference was found in the text == Unused Reference: 'RFC3418' is defined on line 1002, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) Summary: 6 errors (**), 0 flaws (~~), 9 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2619 (if approved) January 20, 2006 5 Expires: July 24, 2006 7 RADIUS Auth Server MIB (IPv6) 8 draft-ietf-radext-rfc2619bis-02.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on July 24, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions which instrument RADIUS 42 authentication server functions. These extensions represent a 43 portion of the Management Information Base (MIB) for use with network 44 management protocols in the Internet community. Using these 45 extensions IP-based management stations can manage RADIUS 46 authentication servers. 48 This memo obsoletes RFC 2619 by deprecating the MIB table containing 49 IPv4-only address formats and defining a new table to add support for 50 version neutral IP address formats. The remaining MIB objects from 51 RFC 2619 are carried forward into this document. This memo also adds 52 UNITS and Reference clauses to selected objects. 54 Table of Contents 56 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The Internet-Standard Management Framework . . . . . . . . . . 3 59 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 64 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 65 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 66 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 67 10.2. Informative References . . . . . . . . . . . . . . . . . 22 68 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 70 Intellectual Property and Copyright Statements . . . . . . . . . . 25 72 1. Terminology 74 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 75 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 76 document are to be interpreted as described in RFC 2119 [RFC2119]. 78 This document uses terminology from RFC 2865 [RFC2865]. 80 This document uses the word "malformed" with respect to RADIUS 81 packets, particularly in the context of counters of "malformed 82 packets". While RFC 2865 does not provide an explicit definition of 83 "malformed", malformed generally means that the implementation has 84 determined the packet does not match the format defined in RFC 2865. 85 Some implementations may determine that packets are malformed when 86 the Vendor Specific Attribute (VSA) format does not follow the RFC 87 2865 recommendations for VSAs. Those implementations are used in 88 deployments today, and thus set the de-facto definition of 89 "malformed". 91 2. Introduction 93 This memo defines a portion of the Management Information Base (MIB) 94 for use with network management protocols in the Internet community. 95 The objects defined within this memo relate to the Remote 96 Authentication Dial-In User Service (RADIUS) Authentication Server as 97 defined in RFC 2865 [RFC2865]. 99 3. The Internet-Standard Management Framework 101 For a detailed overview of the documents that describe the current 102 Internet-Standard Management Framework, please refer to section 7 of 103 RFC 3410 [RFC3410]. 105 Managed objects are accessed via a virtual information store, termed 106 the Management Information Base or MIB. MIB objects are generally 107 accessed through the Simple Network Management Protocol (SNMP). 108 Objects in the MIB are defined using the mechanisms defined in the 109 Structure of Management Information (SMI). This memo specifies a MIB 110 module that is compliant to the SMIv2, which is described in STD 58, 111 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 112 [RFC2580]. 114 4. Scope of Changes 116 This document obsoletes RFC 2619 [RFC2619], RADIUS Authentication 117 Server MIB, by deprecating the radiusAuthClientTable table and adding 118 a new table, radiusAuthClientExtTable, containing 119 radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The 120 purpose of these added MIB objects is to support version neutral IP 121 addressing formats. The existing table containing 122 radiusAuthClientAddress is deprecated. The remaining MIB objects 123 from RFC 2619 are carried forward into this document. This memo also 124 adds UNITS and REFERENCE clauses to selected objects. 126 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 127 version neutral IP addresses, contains the following recommendation. 129 'In particular, when revising a MIB module that contains IPv4 130 specific tables, it is suggested to define new tables using the 131 textual conventions defined in this memo [RFC 4001] that support all 132 versions of IP. The status of the new tables SHOULD be "current", 133 whereas the status of the old IP version specific tables SHOULD be 134 changed to "deprecated". The other approach, of having multiple 135 similar tables for different IP versions, is strongly discouraged.' 137 5. Structure of the MIB Module 139 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 140 distinguishes between the client function and the server function. 141 In RADIUS authentication, clients send Access-Requests, and servers 142 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 143 Typically NAS devices implement the client function, and thus would 144 be expected to implement the RADIUS authentication client MIB, while 145 RADIUS authentication servers implement the server function, and thus 146 would be expected to implement the RADIUS authentication server MIB. 148 However, it is possible for a RADIUS authentication entity to perform 149 both client and server functions. For example, a RADIUS proxy may 150 act as a server to one or more RADIUS authentication clients, while 151 simultaneously acting as an authentication client to one or more 152 authentication servers. In such situations, it is expected that 153 RADIUS entities combining client and server functionality will 154 support both the client and server MIBs. 156 This MIB module contains fourteen scalars as well as a single table, 157 the RADIUS Authentication Client Table, which contains one row for 158 each RADIUS authentication client with which the server shares a 159 secret. Each entry in the RADIUS Authentication Client Table 160 includes twelve columns presenting a view of the activity of the 161 RADIUS authentication server. 163 6. Deprecated Objects 165 The deprecated table in this MIB is carried forward from RFC 2619 166 [RFC2619]. There are two conditions under which it MAY be desirable 167 for managed entities to continue to support the deprecated table: 169 1. The managed entity only supports IPv4 address formats. 170 2. The managed entity supports both IPv4 and IPv6 address formats, 171 and the deprecated table is supported for backwards compatibility 172 with older management stations. This option SHOULD only be used 173 when the IP addresses in the new table are in IPv4 format and can 174 accurately be represented in both the new table and the 175 deprecated table. 177 Managed entities SHOULD NOT instantiate row entries in the deprecated 178 table, containing IPv4-only address objects, when the RADIUS client 179 address represented in such a table row is not an IPv4 address. 180 Managed entities SHOULD NOT return inaccurate values of IP address or 181 SNMP object access errors for IPv4-only address objects in otherwise 182 populated tables. When row entries exist in both the deprecated 183 IPv4-only table and the new IP version neutral table that describe 184 the same RADIUS client, the row indexes SHOULD be the same for the 185 corresponding rows in each table, to facilitate correlation of these 186 related rows by management applications. 188 7. Definitions 190 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 192 IMPORTS 193 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 194 Counter32, Integer32, 195 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 196 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 197 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 198 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 200 radiusAuthServMIB MODULE-IDENTITY 201 LAST-UPDATED "200601200000Z" -- 20 Jan 2006 202 ORGANIZATION "IETF RADIUS Extensions Working Group." 203 CONTACT-INFO 204 " Bernard Aboba 205 Microsoft 206 One Microsoft Way 207 Redmond, WA 98052 208 US 209 Phone: +1 425 936 6605 210 EMail: bernarda@microsoft.com" 211 DESCRIPTION 212 "The MIB module for entities implementing the server 213 side of the Remote Authentication Dial-In User 214 Service (RADIUS) authentication protocol." 215 REVISION "200601200000Z" -- 20 Jan 2006 216 DESCRIPTION "Revised version as published in RFC xxxx. 217 This version obsoletes that of RFC 2619 by deprecating the 218 MIB table containing IPv4-only address formats and defining 219 a new table to add support for version neutral IP address 220 formats. The remaining MIB objects from RFC 2619 are carried 221 forward into this version." 222 REVISION "9906110000Z" -- 11 Jun 1999 223 DESCRIPTION "Initial version as published in RFC 2619." 225 -- RFC Editor: replace xxxx with actual RFC number at the time of 226 -- publication, and remove this note. 228 ::= { radiusAuthentication 1 } 230 radiusMIB OBJECT-IDENTITY 231 STATUS current 232 DESCRIPTION 233 "The OID assigned to RADIUS MIB work by the IANA." 234 ::= { mib-2 67 } 236 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 238 radiusAuthServMIBObjects OBJECT IDENTIFIER 239 ::= { radiusAuthServMIB 1 } 241 radiusAuthServ OBJECT IDENTIFIER 242 ::= { radiusAuthServMIBObjects 1 } 244 radiusAuthServIdent OBJECT-TYPE 245 SYNTAX SnmpAdminString 246 MAX-ACCESS read-only 247 STATUS current 248 DESCRIPTION 249 "The implementation identification string for the 250 RADIUS authentication server software in use on the 251 system, for example; `FNS-2.1'" 252 ::= {radiusAuthServ 1} 254 radiusAuthServUpTime OBJECT-TYPE 255 SYNTAX TimeTicks 256 MAX-ACCESS read-only 257 STATUS current 258 DESCRIPTION 259 "If the server has a persistent state (e.g., a 260 process), this value will be the time elapsed (in 261 hundredths of a second) since the server process 262 was started. For software without persistent state, 263 this value will be zero." 264 ::= {radiusAuthServ 2} 266 radiusAuthServResetTime OBJECT-TYPE 267 SYNTAX TimeTicks 268 MAX-ACCESS read-only 269 STATUS current 270 DESCRIPTION 271 "If the server has a persistent state (e.g., a process) 272 and supports a `reset' operation (e.g., can be told to 273 re-read configuration files), this value will be the 274 time elapsed (in hundredths of a second) since the 275 server was `reset.' For software that does not 276 have persistence or does not support a `reset' 277 operation, this value will be zero." 278 ::= {radiusAuthServ 3} 280 radiusAuthServConfigReset OBJECT-TYPE 281 SYNTAX INTEGER { other(1), 282 reset(2), 283 initializing(3), 284 running(4)} 285 MAX-ACCESS read-write 286 STATUS current 287 DESCRIPTION 288 "Status/action object to reinitialize any persistent 289 server state. When set to reset(2), any persistent 290 server state (such as a process) is reinitialized as 291 if the server had just been started. This value will 292 never be returned by a read operation. When read, 293 one of the following values will be returned: 294 other(1) - server in some unknown state; 295 initializing(3) - server (re)initializing; 296 running(4) - server currently running." 297 ::= {radiusAuthServ 4} 299 radiusAuthServTotalAccessRequests OBJECT-TYPE 300 SYNTAX Counter32 301 UNITS "packets" 302 MAX-ACCESS read-only 303 STATUS current 304 DESCRIPTION 305 "The number of packets received on the 306 authentication port." 307 REFERENCE "RFC 2865 section 4.1" 308 ::= { radiusAuthServ 5} 310 radiusAuthServTotalInvalidRequests OBJECT-TYPE 311 SYNTAX Counter32 312 UNITS "packets" 313 MAX-ACCESS read-only 314 STATUS current 315 DESCRIPTION 316 "The number of RADIUS Access-Request packets 317 received from unknown addresses." 318 REFERENCE "RFC 2865 section 4.1" 319 ::= { radiusAuthServ 6 } 321 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 322 SYNTAX Counter32 323 UNITS "packets" 324 MAX-ACCESS read-only 325 STATUS current 326 DESCRIPTION 327 "The number of duplicate RADIUS Access-Request 328 packets received." 329 REFERENCE "RFC 2865 section 4.1" 330 ::= { radiusAuthServ 7 } 332 radiusAuthServTotalAccessAccepts OBJECT-TYPE 333 SYNTAX Counter32 334 UNITS "packets" 335 MAX-ACCESS read-only 336 STATUS current 337 DESCRIPTION 338 "The number of RADIUS Access-Accept packets sent." 339 REFERENCE "RFC 2865 section 4.2" 340 ::= { radiusAuthServ 8 } 342 radiusAuthServTotalAccessRejects OBJECT-TYPE 343 SYNTAX Counter32 344 UNITS "packets" 345 MAX-ACCESS read-only 346 STATUS current 347 DESCRIPTION 348 "The number of RADIUS Access-Reject packets sent." 349 REFERENCE "RFC 2865 section 4.3" 350 ::= { radiusAuthServ 9 } 352 radiusAuthServTotalAccessChallenges OBJECT-TYPE 353 SYNTAX Counter32 354 UNITS "packets" 355 MAX-ACCESS read-only 356 STATUS current 357 DESCRIPTION 358 "The number of RADIUS Access-Challenge packets sent." 359 REFERENCE "RFC 2865 section 4.4" 360 ::= { radiusAuthServ 10 } 362 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 363 SYNTAX Counter32 364 UNITS "packets" 365 MAX-ACCESS read-only 366 STATUS current 367 DESCRIPTION 368 "The number of malformed RADIUS Access-Request 369 packets received. Bad authenticators 370 and unknown types are not included as 371 malformed Access-Requests." 372 REFERENCE "RFC 2865 section 4.1" 373 ::= { radiusAuthServ 11 } 375 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 376 SYNTAX Counter32 377 UNITS "packets" 378 MAX-ACCESS read-only 379 STATUS current 380 DESCRIPTION 381 "The number of RADIUS Authentication-Request packets 382 which contained invalid Message Authenticator 383 attributes received." 384 REFERENCE "RFC 2865 section 3" 385 ::= { radiusAuthServ 12 } 387 radiusAuthServTotalPacketsDropped OBJECT-TYPE 388 SYNTAX Counter32 389 UNITS "packets" 390 MAX-ACCESS read-only 391 STATUS current 392 DESCRIPTION 393 "The number of incoming packets 394 silently discarded for some reason other 395 than malformed, bad authenticators or 396 unknown types." 397 REFERENCE "RFC 2865 section 3" 398 ::= { radiusAuthServ 13 } 400 radiusAuthServTotalUnknownTypes OBJECT-TYPE 401 SYNTAX Counter32 402 UNITS "packets" 403 MAX-ACCESS read-only 404 STATUS current 405 DESCRIPTION 406 "The number of RADIUS packets of unknown type which 407 were received." 408 REFERENCE "RFC 2865 section 4" 409 ::= { radiusAuthServ 14 } 411 radiusAuthClientTable OBJECT-TYPE 412 SYNTAX SEQUENCE OF RadiusAuthClientEntry 413 MAX-ACCESS not-accessible 414 STATUS deprecated 415 DESCRIPTION 416 "The (conceptual) table listing the RADIUS 417 authentication clients with which the server shares 418 a secret." 419 ::= { radiusAuthServ 15 } 421 radiusAuthClientEntry OBJECT-TYPE 422 SYNTAX RadiusAuthClientEntry 423 MAX-ACCESS not-accessible 424 STATUS deprecated 425 DESCRIPTION 426 "An entry (conceptual row) representing a RADIUS 427 authentication client with which the server shares a 428 secret." 429 INDEX { radiusAuthClientIndex } 430 ::= { radiusAuthClientTable 1 } 432 RadiusAuthClientEntry ::= SEQUENCE { 433 radiusAuthClientIndex Integer32, 434 radiusAuthClientAddress IpAddress, 435 radiusAuthClientID SnmpAdminString, 436 radiusAuthServAccessRequests Counter32, 437 radiusAuthServDupAccessRequests Counter32, 438 radiusAuthServAccessAccepts Counter32, 439 radiusAuthServAccessRejects Counter32, 440 radiusAuthServAccessChallenges Counter32, 441 radiusAuthServMalformedAccessRequests Counter32, 442 radiusAuthServBadAuthenticators Counter32, 443 radiusAuthServPacketsDropped Counter32, 444 radiusAuthServUnknownTypes Counter32 445 } 446 radiusAuthClientIndex OBJECT-TYPE 447 SYNTAX Integer32 (1..2147483647) 448 MAX-ACCESS not-accessible 449 STATUS deprecated 450 DESCRIPTION 451 "A number uniquely identifying each RADIUS 452 authentication client with which this server 453 communicates." 454 ::= { radiusAuthClientEntry 1 } 456 radiusAuthClientAddress OBJECT-TYPE 457 SYNTAX IpAddress 458 MAX-ACCESS read-only 459 STATUS deprecated 460 DESCRIPTION 461 "The NAS-IP-Address of the RADIUS authentication client 462 referred to in this table entry." 463 REFERENCE "RFC 2865 section 2" 464 ::= { radiusAuthClientEntry 2 } 466 radiusAuthClientID OBJECT-TYPE 467 SYNTAX SnmpAdminString 468 MAX-ACCESS read-only 469 STATUS deprecated 470 DESCRIPTION 471 "The NAS-Identifier of the RADIUS authentication client 472 referred to in this table entry. This is not 473 necessarily the same as sysName in MIB II." 474 REFERENCE "RFC 2865 section 5.32" 475 ::= { radiusAuthClientEntry 3 } 477 -- Server Counters 479 -- 480 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 481 -- 482 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 483 -- UnknownTypes - PacketsDropped - Responses = Pending 484 -- 485 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 486 -- UnknownTypes - PacketsDropped = entries logged 488 radiusAuthServAccessRequests OBJECT-TYPE 489 SYNTAX Counter32 490 UNITS "packets" 491 MAX-ACCESS read-only 492 STATUS deprecated 493 DESCRIPTION 494 "The number of packets received on the authentication 495 port from this client." 496 REFERENCE "RFC 2865 section 4.1" 497 ::= { radiusAuthClientEntry 4 } 499 radiusAuthServDupAccessRequests OBJECT-TYPE 500 SYNTAX Counter32 501 UNITS "packets" 502 MAX-ACCESS read-only 503 STATUS deprecated 504 DESCRIPTION 505 "The number of duplicate RADIUS Access-Request 506 packets received from this client." 507 REFERENCE "RFC 2865 section 4.1" 508 ::= { radiusAuthClientEntry 5 } 510 radiusAuthServAccessAccepts OBJECT-TYPE 511 SYNTAX Counter32 512 UNITS "packets" 513 MAX-ACCESS read-only 514 STATUS deprecated 515 DESCRIPTION 516 "The number of RADIUS Access-Accept packets 517 sent to this client." 518 REFERENCE "RFC 2865 section 4.2" 519 ::= { radiusAuthClientEntry 6 } 521 radiusAuthServAccessRejects OBJECT-TYPE 522 SYNTAX Counter32 523 UNITS "packets" 524 MAX-ACCESS read-only 525 STATUS deprecated 526 DESCRIPTION 527 "The number of RADIUS Access-Reject packets 528 sent to this client." 529 REFERENCE "RFC 2865 section 4.3" 530 ::= { radiusAuthClientEntry 7 } 532 radiusAuthServAccessChallenges OBJECT-TYPE 533 SYNTAX Counter32 534 UNITS "packets" 535 MAX-ACCESS read-only 536 STATUS deprecated 537 DESCRIPTION 538 "The number of RADIUS Access-Challenge packets 539 sent to this client." 540 REFERENCE "RFC 2865 section 4.4" 541 ::= { radiusAuthClientEntry 8 } 543 radiusAuthServMalformedAccessRequests OBJECT-TYPE 544 SYNTAX Counter32 545 UNITS "packets" 546 MAX-ACCESS read-only 547 STATUS deprecated 548 DESCRIPTION 549 "The number of malformed RADIUS Access-Request 550 packets received from this client. 551 Bad authenticators and unknown types are not included 552 as malformed Access-Requests." 553 REFERENCE "RFC 2865 section 3" 554 ::= { radiusAuthClientEntry 9 } 556 radiusAuthServBadAuthenticators OBJECT-TYPE 557 SYNTAX Counter32 558 UNITS "packets" 559 MAX-ACCESS read-only 560 STATUS deprecated 561 DESCRIPTION 562 "The number of RADIUS Authentication-Request packets 563 which contained invalid Message Authenticator 564 attributes received from this client." 565 REFERENCE "RFC 2865 section 3" 566 ::= { radiusAuthClientEntry 10 } 568 radiusAuthServPacketsDropped OBJECT-TYPE 569 SYNTAX Counter32 570 UNITS "packets" 571 MAX-ACCESS read-only 572 STATUS deprecated 573 DESCRIPTION 574 "The number of incoming packets from this 575 client silently discarded for some reason other 576 than malformed, bad authenticators or 577 unknown types." 578 REFERENCE "RFC 2865 section 3" 579 ::= { radiusAuthClientEntry 11 } 581 radiusAuthServUnknownTypes OBJECT-TYPE 582 SYNTAX Counter32 583 UNITS "packets" 584 MAX-ACCESS read-only 585 STATUS deprecated 586 DESCRIPTION 587 "The number of RADIUS packets of unknown type which 588 were received from this client." 589 REFERENCE "RFC 2865 section 4" 590 ::= { radiusAuthClientEntry 12 } 592 -- New MIB objects added in this revision 594 radiusAuthClientExtTable OBJECT-TYPE 595 SYNTAX SEQUENCE OF RadiusAuthClientExtEntry 596 MAX-ACCESS not-accessible 597 STATUS current 598 DESCRIPTION 599 "The (conceptual) table listing the RADIUS 600 authentication clients with which the server shares 601 a secret." 602 ::= { radiusAuthServ 16 } 604 radiusAuthClientExtEntry OBJECT-TYPE 605 SYNTAX RadiusAuthClientExtEntry 606 MAX-ACCESS not-accessible 607 STATUS current 608 DESCRIPTION 609 "An entry (conceptual row) representing a RADIUS 610 authentication client with which the server shares a 611 secret." 612 INDEX { radiusAuthClientExtIndex } 613 ::= { radiusAuthClientExtTable 1 } 615 RadiusAuthClientExtEntry ::= SEQUENCE { 616 radiusAuthClientExtIndex Integer32, 617 radiusAuthClientInetAddressType InetAddressType, 618 radiusAuthClientInetAddress InetAddress, 619 radiusAuthClientExtID SnmpAdminString, 620 radiusAuthServExtAccessRequests Counter32, 621 radiusAuthServExtDupAccessRequests Counter32, 622 radiusAuthServExtAccessAccepts Counter32, 623 radiusAuthServExtAccessRejects Counter32, 624 radiusAuthServExtAccessChallenges Counter32, 625 radiusAuthServExtMalformedAccessRequests Counter32, 626 radiusAuthServExtBadAuthenticators Counter32, 627 radiusAuthServExtPacketsDropped Counter32, 628 radiusAuthServExtUnknownTypes Counter32 629 } 631 radiusAuthClientExtIndex OBJECT-TYPE 632 SYNTAX Integer32 (1..2147483647) 633 MAX-ACCESS not-accessible 634 STATUS current 635 DESCRIPTION 636 "A number uniquely identifying each RADIUS 637 authentication client with which this server 638 communicates." 639 ::= { radiusAuthClientExtEntry 1 } 641 radiusAuthClientInetAddressType OBJECT-TYPE 642 SYNTAX InetAddressType 643 MAX-ACCESS read-only 644 STATUS current 645 DESCRIPTION 646 "The type of address format used for the 647 radiusAuthClientInetAddress object." 648 ::= { radiusAuthClientExtEntry 2 } 650 radiusAuthClientInetAddress OBJECT-TYPE 651 SYNTAX InetAddress 652 MAX-ACCESS read-only 653 STATUS current 654 DESCRIPTION 655 "The IP address of the RADIUS authentication 656 client referred to in this table entry, using 657 the version neutral IP address format." 658 ::= { radiusAuthClientExtEntry 3 } 660 radiusAuthClientExtID OBJECT-TYPE 661 SYNTAX SnmpAdminString 662 MAX-ACCESS read-only 663 STATUS current 664 DESCRIPTION 665 "The NAS-Identifier of the RADIUS authentication client 666 referred to in this table entry. This is not 667 necessarily the same as sysName in MIB II." 668 REFERENCE "RFC 2865 section 5.32" 669 ::= { radiusAuthClientExtEntry 4 } 671 -- Server Counters 673 -- 674 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 675 -- 676 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 677 -- UnknownTypes - PacketsDropped - Responses = Pending 678 -- 679 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 680 -- UnknownTypes - PacketsDropped = entries logged 682 radiusAuthServExtAccessRequests OBJECT-TYPE 683 SYNTAX Counter32 684 UNITS "packets" 685 MAX-ACCESS read-only 686 STATUS current 687 DESCRIPTION 688 "The number of packets received on the authentication 689 port from this client." 690 REFERENCE "RFC 2865 section 4.1" 691 ::= { radiusAuthClientExtEntry 5 } 693 radiusAuthServExtDupAccessRequests OBJECT-TYPE 694 SYNTAX Counter32 695 UNITS "packets" 696 MAX-ACCESS read-only 697 STATUS current 698 DESCRIPTION 699 "The number of duplicate RADIUS Access-Request 700 packets received from this client." 701 REFERENCE "RFC 2865 section 4.1" 702 ::= { radiusAuthClientExtEntry 6 } 704 radiusAuthServExtAccessAccepts OBJECT-TYPE 705 SYNTAX Counter32 706 UNITS "packets" 707 MAX-ACCESS read-only 708 STATUS current 709 DESCRIPTION 710 "The number of RADIUS Access-Accept packets 711 sent to this client." 712 REFERENCE "RFC 2865 section 4.2" 713 ::= { radiusAuthClientExtEntry 7 } 715 radiusAuthServExtAccessRejects OBJECT-TYPE 716 SYNTAX Counter32 717 UNITS "packets" 718 MAX-ACCESS read-only 719 STATUS current 720 DESCRIPTION 721 "The number of RADIUS Access-Reject packets 722 sent to this client." 723 REFERENCE "RFC 2865 section 4.3" 724 ::= { radiusAuthClientExtEntry 8 } 726 radiusAuthServExtAccessChallenges OBJECT-TYPE 727 SYNTAX Counter32 728 UNITS "packets" 729 MAX-ACCESS read-only 730 STATUS current 731 DESCRIPTION 732 "The number of RADIUS Access-Challenge packets 733 sent to this client." 734 REFERENCE "RFC 2865 section 4.4" 735 ::= { radiusAuthClientExtEntry 9 } 737 radiusAuthServExtMalformedAccessRequests OBJECT-TYPE 738 SYNTAX Counter32 739 UNITS "packets" 740 MAX-ACCESS read-only 741 STATUS current 742 DESCRIPTION 743 "The number of malformed RADIUS Access-Request 744 packets received from this client. 745 Bad authenticators and unknown types are not included 746 as malformed Access-Requests." 747 REFERENCE "RFC 2865 sections 3, 4.1" 748 ::= { radiusAuthClientExtEntry 10 } 750 radiusAuthServExtBadAuthenticators OBJECT-TYPE 751 SYNTAX Counter32 752 UNITS "packets" 753 MAX-ACCESS read-only 754 STATUS current 755 DESCRIPTION 756 "The number of RADIUS Authentication-Request packets 757 which contained invalid Message Authenticator 758 attributes received from this client." 759 REFERENCE "RFC 2865 section 3" 760 ::= { radiusAuthClientExtEntry 11 } 762 radiusAuthServExtPacketsDropped OBJECT-TYPE 763 SYNTAX Counter32 764 UNITS "packets" 765 MAX-ACCESS read-only 766 STATUS current 767 DESCRIPTION 768 "The number of incoming packets from this 769 client silently discarded for some reason other 770 than malformed, bad authenticators or 771 unknown types." 772 REFERENCE "RFC 2865 section 3" 773 ::= { radiusAuthClientExtEntry 12 } 775 radiusAuthServExtUnknownTypes OBJECT-TYPE 776 SYNTAX Counter32 777 UNITS "packets" 778 MAX-ACCESS read-only 779 STATUS current 780 DESCRIPTION 781 "The number of RADIUS packets of unknown type which 782 were received from this client." 783 REFERENCE "RFC 2865 section 4" 784 ::= { radiusAuthClientExtEntry 13 } 786 -- conformance information 788 radiusAuthServMIBConformance OBJECT IDENTIFIER 789 ::= { radiusAuthServMIB 2 } 791 radiusAuthServMIBCompliances OBJECT IDENTIFIER 792 ::= { radiusAuthServMIBConformance 1 } 794 radiusAuthServMIBGroups OBJECT IDENTIFIER 795 ::= { radiusAuthServMIBConformance 2 } 797 -- compliance statements 799 radiusAuthServMIBCompliance MODULE-COMPLIANCE 800 STATUS deprecated 801 DESCRIPTION 802 "The compliance statement for authentication 803 servers implementing the RADIUS Authentication 804 Server MIB. Implementation of this module is for 805 IPv4-only entities, or for backwards compatibility 806 use with entities that support both IPv4 and 807 IPv6." 808 MODULE -- this module 809 MANDATORY-GROUPS { radiusAuthServMIBGroup } 811 OBJECT radiusAuthServConfigReset 812 WRITE-SYNTAX INTEGER { reset(2) } 813 DESCRIPTION "The only SETable value is 'reset' (2)." 815 ::= { radiusAuthServMIBCompliances 1 } 817 radiusAuthServMIBExtCompliance MODULE-COMPLIANCE 818 STATUS current 819 DESCRIPTION 820 "The compliance statement for authentication 821 servers implementing the RADIUS Authentication 822 Server IPv6 Extensions MIB. Implementation of 823 this module is for entities that support IPv6, 824 or support IPv4 and IPv6." 825 MODULE -- this module 826 MANDATORY-GROUPS { radiusAuthServExtMIBGroup } 828 OBJECT radiusAuthServConfigReset 829 WRITE-SYNTAX INTEGER { reset(2) } 830 DESCRIPTION "The only SETable value is 'reset' (2)." 832 ::= { radiusAuthServMIBCompliances 2 } 834 -- units of conformance 836 radiusAuthServMIBGroup OBJECT-GROUP 837 OBJECTS {radiusAuthServIdent, 838 radiusAuthServUpTime, 839 radiusAuthServResetTime, 840 radiusAuthServConfigReset, 841 radiusAuthServTotalAccessRequests, 842 radiusAuthServTotalInvalidRequests, 843 radiusAuthServTotalDupAccessRequests, 844 radiusAuthServTotalAccessAccepts, 845 radiusAuthServTotalAccessRejects, 846 radiusAuthServTotalAccessChallenges, 847 radiusAuthServTotalMalformedAccessRequests, 848 radiusAuthServTotalBadAuthenticators, 849 radiusAuthServTotalPacketsDropped, 850 radiusAuthServTotalUnknownTypes, 851 radiusAuthClientAddress, 852 radiusAuthClientID, 853 radiusAuthServAccessRequests, 854 radiusAuthServDupAccessRequests, 855 radiusAuthServAccessAccepts, 856 radiusAuthServAccessRejects, 857 radiusAuthServAccessChallenges, 858 radiusAuthServMalformedAccessRequests, 859 radiusAuthServBadAuthenticators, 860 radiusAuthServPacketsDropped, 861 radiusAuthServUnknownTypes 862 } 863 STATUS deprecated 864 DESCRIPTION 865 "The collection of objects providing management of 866 a RADIUS Authentication Server." 867 ::= { radiusAuthServMIBGroups 1 } 869 radiusAuthServExtMIBGroup OBJECT-GROUP 870 OBJECTS {radiusAuthServIdent, 871 radiusAuthServUpTime, 872 radiusAuthServResetTime, 873 radiusAuthServConfigReset, 874 radiusAuthServTotalAccessRequests, 875 radiusAuthServTotalInvalidRequests, 876 radiusAuthServTotalDupAccessRequests, 877 radiusAuthServTotalAccessAccepts, 878 radiusAuthServTotalAccessRejects, 879 radiusAuthServTotalAccessChallenges, 880 radiusAuthServTotalMalformedAccessRequests, 881 radiusAuthServTotalBadAuthenticators, 882 radiusAuthServTotalPacketsDropped, 883 radiusAuthServTotalUnknownTypes, 884 radiusAuthClientInetAddressType, 885 radiusAuthClientInetAddress, 886 radiusAuthClientExtID, 887 radiusAuthServExtAccessRequests, 888 radiusAuthServExtDupAccessRequests, 889 radiusAuthServExtAccessAccepts, 890 radiusAuthServExtAccessRejects, 891 radiusAuthServExtAccessChallenges, 892 radiusAuthServExtMalformedAccessRequests, 893 radiusAuthServExtBadAuthenticators, 894 radiusAuthServExtPacketsDropped, 895 radiusAuthServExtUnknownTypes 896 } 897 STATUS current 898 DESCRIPTION 899 "The collection of objects providing management of 900 a RADIUS Authentication Server." 901 ::= { radiusAuthServMIBGroups 2 } 903 END 905 8. IANA Considerations 907 This document requires no new IANA assignments. 909 9. Security Considerations 911 There are a number of management objects defined in this MIB that 912 have a MAX-ACCESS clause of read-write and/or read-create. Such 913 objects may be considered sensitive or vulnerable in some network 914 environments. The support for SET operations in a non-secure 915 environment without proper protection can have a negative effect on 916 network operations. These are: 918 radiusAuthServConfigReset This object cab be used to reinitialize the 919 persistent state of any server. When set to reset(2), any 920 persistent server state (such as a process) is reinitialized as if 921 the server had just been started. Depending on the server 922 impelmentation details, this action may ot may not interrupt the 923 processing of pending request in the server. Abuse of this object 924 may lead to a Denial of Service attack on the server. 926 There are a number of managed objects in this MIB that may contain 927 sensitive information. These are: 929 radiusAuthClientIPAddress This can be used to determine the address 930 of the RADIUS authentication client with which the server is 931 communicating. This information could be useful in mounting an 932 attack on the authentication client. 933 radiusAuthClientInetAddress This can be used to determine the address 934 of the RADIUS authentication client with which the server is 935 communicating. This information could be useful in mounting an 936 attack on the authentication client. 938 It is thus important to control even GET access to these objects and 939 possibly to even encrypt the values of these object when sending them 940 over the network via SNMP. Not all versions of SNMP provide features 941 for such a secure environment. 943 SNMP versions prior to SNMPv3 do not provide a secure environment. 944 Even if the network itself is secure (for example by using IPsec), 945 there is no control as to who on the secure network is allowed to 946 access and GET/SET (read/change/create/delete) the objects in this 947 MIB. 949 It is RECOMMENDED that implementers consider the security features as 950 provided by the SNMPv3 framework (see [RFC3410], section 8), 951 including full support for the SNMPv3 cryptographic mechanisms (for 952 authentication and privacy). 954 Further, deployment of SNMP versions prior to SNMPv3 is NOT 955 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 956 enable cryptographic security. It is then a customer/operator 957 responsibility to ensure that the SNMP entity giving access to an 958 instance of this MIB module is properly configured to give access to 959 the objects only to those principals (users) that have legitimate 960 rights to indeed GET or SET (change/create/delete) them 962 10. References 964 10.1. Normative References 966 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 967 Requirement Levels", BCP 14, RFC 2119, March 1997. 969 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 970 (USM) for version 3 of the Simple Network Management 971 Protocol (SNMPv3)", RFC 2574, April 1999. 973 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 974 Access Control Model (VACM) for the Simple Network 975 Management Protocol (SNMP)", RFC 2575, April 1999. 977 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 978 Schoenwaelder, Ed., "Structure of Management Information 979 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 981 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 982 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 983 STD 58, RFC 2579, April 1999. 985 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 986 "Conformance Statements for SMIv2", STD 58, RFC 2580, 987 April 1999. 989 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 990 "Remote Authentication Dial In User Service (RADIUS)", 991 RFC 2865, June 2000. 993 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 994 "Introduction and Applicability Statements for Internet- 995 Standard Management Framework", RFC 3410, December 2002. 997 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 998 Architecture for Describing Simple Network Management 999 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 1000 December 2002. 1002 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 1003 Simple Network Management Protocol (SNMP)", STD 62, 1004 RFC 3418, December 2002. 1006 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1007 Schoenwaelder, "Textual Conventions for Internet Network 1008 Addresses", RFC 4001, February 2005. 1010 10.2. Informative References 1012 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 1013 RFC 2619, June 1999. 1015 Appendix A. Acknowledgments 1017 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 1019 Many thanks to all reviewers, especially to David Harrington, Dan 1020 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 1022 Author's Address 1024 David B. Nelson 1025 Enterasys Networks 1026 50 Minuteman Road 1027 Andover, MA 01810 1028 USA 1030 Email: dnelson@enterasys.com 1032 Intellectual Property Statement 1034 The IETF takes no position regarding the validity or scope of any 1035 Intellectual Property Rights or other rights that might be claimed to 1036 pertain to the implementation or use of the technology described in 1037 this document or the extent to which any license under such rights 1038 might or might not be available; nor does it represent that it has 1039 made any independent effort to identify any such rights. Information 1040 on the procedures with respect to rights in RFC documents can be 1041 found in BCP 78 and BCP 79. 1043 Copies of IPR disclosures made to the IETF Secretariat and any 1044 assurances of licenses to be made available, or the result of an 1045 attempt made to obtain a general license or permission for the use of 1046 such proprietary rights by implementers or users of this 1047 specification can be obtained from the IETF on-line IPR repository at 1048 http://www.ietf.org/ipr. 1050 The IETF invites any interested party to bring to its attention any 1051 copyrights, patents or patent applications, or other proprietary 1052 rights that may cover technology that may be required to implement 1053 this standard. Please address the information to the IETF at 1054 ietf-ipr@ietf.org. 1056 Disclaimer of Validity 1058 This document and the information contained herein are provided on an 1059 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1060 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1061 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1062 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1063 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1064 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1066 Copyright Statement 1068 Copyright (C) The Internet Society (2006). This document is subject 1069 to the rights, licenses and restrictions contained in BCP 78, and 1070 except as set forth therein, the authors retain all their rights. 1072 Acknowledgment 1074 Funding for the RFC Editor function is currently provided by the 1075 Internet Society.