idnits 2.17.1 draft-ietf-radext-rfc2619bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1116. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1093. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1100. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1106. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 12, 2006) is 6559 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2619 (Obsoleted by RFC 4669) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2619 (if approved) May 12, 2006 5 Expires: November 13, 2006 7 RADIUS Auth Server MIB (IPv6) 8 draft-ietf-radext-rfc2619bis-03.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on November 13, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions which instrument RADIUS 42 authentication server functions. These extensions represent a 43 portion of the Management Information Base (MIB) for use with network 44 management protocols in the Internet community. Using these 45 extensions IP-based management stations can manage RADIUS 46 authentication servers. 48 This memo obsoletes RFC 2619 by deprecating the MIB table containing 49 IPv4-only address formats and defining a new table to add support for 50 version neutral IP address formats. The remaining MIB objects from 51 RFC 2619 are carried forward into this document. This memo also adds 52 UNITS and Reference clauses to selected objects. 54 Table of Contents 56 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. The Internet-Standard Management Framework . . . . . . . . . . 3 59 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 61 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 64 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 65 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 66 10.1. Normative References . . . . . . . . . . . . . . . . . . 23 67 10.2. Informative References . . . . . . . . . . . . . . . . . 23 68 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 24 69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 70 Intellectual Property and Copyright Statements . . . . . . . . . . 26 72 1. Terminology 74 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 75 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 76 document are to be interpreted as described in RFC 2119 [RFC2119]. 78 This document uses terminology from RFC 2865 [RFC2865]. 80 This document uses the word "malformed" with respect to RADIUS 81 packets, particularly in the context of counters of "malformed 82 packets". While RFC 2865 does not provide an explicit definition of 83 "malformed", malformed generally means that the implementation has 84 determined the packet does not match the format defined in RFC 2865. 85 Some implementations may determine that packets are malformed when 86 the Vendor Specific Attribute (VSA) format does not follow the RFC 87 2865 recommendations for VSAs. Those implementations are used in 88 deployments today, and thus set the de-facto definition of 89 "malformed". 91 2. Introduction 93 This memo defines a portion of the Management Information Base (MIB) 94 for use with network management protocols in the Internet community. 95 The objects defined within this memo relate to the Remote 96 Authentication Dial-In User Service (RADIUS) Authentication Server as 97 defined in RFC 2865 [RFC2865]. 99 3. The Internet-Standard Management Framework 101 For a detailed overview of the documents that describe the current 102 Internet-Standard Management Framework, please refer to section 7 of 103 RFC 3410 [RFC3410]. 105 Managed objects are accessed via a virtual information store, termed 106 the Management Information Base or MIB. MIB objects are generally 107 accessed through the Simple Network Management Protocol (SNMP). 108 Objects in the MIB are defined using the mechanisms defined in the 109 Structure of Management Information (SMI). This memo specifies a MIB 110 module that is compliant to the SMIv2, which is described in STD 58, 111 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 112 [RFC2580]. 114 4. Scope of Changes 116 This document obsoletes RFC 2619 [RFC2619], RADIUS Authentication 117 Server MIB, by deprecating the radiusAuthClientTable table and adding 118 a new table, radiusAuthClientExtTable, containing 119 radiusAuthClientInetAddressType and radiusAuthClientInetAddress. The 120 purpose of these added MIB objects is to support version neutral IP 121 addressing formats. The existing table containing 122 radiusAuthClientAddress is deprecated. The remaining MIB objects 123 from RFC 2619 are carried forward into this document. This memo also 124 adds UNITS and REFERENCE clauses to selected objects. 126 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 127 version neutral IP addresses, contains the following recommendation. 129 'In particular, when revising a MIB module that contains IPv4 130 specific tables, it is suggested to define new tables using the 131 textual conventions defined in this memo [RFC4001] that support all 132 versions of IP. The status of the new tables SHOULD be "current", 133 whereas the status of the old IP version specific tables SHOULD be 134 changed to "deprecated". The other approach, of having multiple 135 similar tables for different IP versions, is strongly discouraged.' 137 5. Structure of the MIB Module 139 The RADIUS authentication protocol, described in RFC 2865 [RFC2865], 140 distinguishes between the client function and the server function. 141 In RADIUS authentication, clients send Access-Requests, and servers 142 reply with Access-Accepts, Access-Rejects, and Access-Challenges. 143 Typically NAS devices implement the client function, and thus would 144 be expected to implement the RADIUS authentication client MIB, while 145 RADIUS authentication servers implement the server function, and thus 146 would be expected to implement the RADIUS authentication server MIB. 148 However, it is possible for a RADIUS authentication entity to perform 149 both client and server functions. For example, a RADIUS proxy may 150 act as a server to one or more RADIUS authentication clients, while 151 simultaneously acting as an authentication client to one or more 152 authentication servers. In such situations, it is expected that 153 RADIUS entities combining client and server functionality will 154 support both the client and server MIBs. 156 This MIB module contains fourteen scalars as well as a single table, 157 the RADIUS Authentication Client Table, which contains one row for 158 each RADIUS authentication client with which the server shares a 159 secret. Each entry in the RADIUS Authentication Client Table 160 includes thirteen columns presenting a view of the activity of the 161 RADIUS authentication server. 163 6. Deprecated Objects 165 The deprecated table in this MIB is carried forward from RFC 2619 166 [RFC2619]. There are two conditions under which it MAY be desirable 167 for managed entities to continue to support the deprecated table: 169 1. The managed entity only supports IPv4 address formats. 170 2. The managed entity supports both IPv4 and IPv6 address formats, 171 and the deprecated table is supported for backwards compatibility 172 with older management stations. This option SHOULD only be used 173 when the IP addresses in the new table are in IPv4 format and can 174 accurately be represented in both the new table and the 175 deprecated table. 177 Managed entities SHOULD NOT instantiate row entries in the deprecated 178 table, containing IPv4-only address objects, when the RADIUS client 179 address represented in such a table row is not an IPv4 address. 180 Managed entities SHOULD NOT return inaccurate values of IP address or 181 SNMP object access errors for IPv4-only address objects in otherwise 182 populated tables. When row entries exist in both the deprecated 183 IPv4-only table and the new IP version neutral table that describe 184 the same RADIUS client, the row indexes SHOULD be the same for the 185 corresponding rows in each table, to facilitate correlation of these 186 related rows by management applications. 188 7. Definitions 190 RADIUS-AUTH-SERVER-MIB DEFINITIONS ::= BEGIN 192 IMPORTS 193 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 194 Counter32, Integer32, 195 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 196 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 197 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 198 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 200 radiusAuthServMIB MODULE-IDENTITY 201 LAST-UPDATED "200605100000Z" -- 10 May 2006 202 ORGANIZATION "IETF RADIUS Extensions Working Group." 203 CONTACT-INFO 204 " Bernard Aboba 205 Microsoft 206 One Microsoft Way 207 Redmond, WA 98052 208 US 209 Phone: +1 425 936 6605 210 EMail: bernarda@microsoft.com" 211 DESCRIPTION 212 "The MIB module for entities implementing the server 213 side of the Remote Authentication Dial-In User 214 Service (RADIUS) authentication protocol. Copyright 215 (C) The Internet Society (2006). This version of this 216 MIB module is part of RFC xxxx; see the RFC itself for 217 full legal notices." 219 -- RFC Editor: replace xxxx with actual RFC number at the time of 220 -- publication, and remove this note. 222 REVISION "200605100000Z" -- 10 May 2006 223 DESCRIPTION 224 "Revised version as published in RFC xxxx. This 225 version obsoletes that of RFC 2619 by deprecating the 226 MIB table containing IPv4-only address formats and 227 defining a new table to add support for version neutral 228 IP address formats. The remaining MIB objects from RFC 229 2619 are carried forward into this version." 231 -- RFC Editor: replace xxxx with actual RFC number at the time of 232 -- publication, and remove this note. 234 REVISION "199906110000Z" -- 11 Jun 1999 235 DESCRIPTION "Initial version as published in RFC 2619." 237 ::= { radiusAuthentication 1 } 239 radiusMIB OBJECT-IDENTITY 240 STATUS current 241 DESCRIPTION 242 "The OID assigned to RADIUS MIB work by the IANA." 243 ::= { mib-2 67 } 245 radiusAuthentication OBJECT IDENTIFIER ::= {radiusMIB 1} 247 radiusAuthServMIBObjects OBJECT IDENTIFIER 248 ::= { radiusAuthServMIB 1 } 250 radiusAuthServ OBJECT IDENTIFIER 251 ::= { radiusAuthServMIBObjects 1 } 253 radiusAuthServIdent OBJECT-TYPE 254 SYNTAX SnmpAdminString 255 MAX-ACCESS read-only 256 STATUS current 257 DESCRIPTION 258 "The implementation identification string for the 259 RADIUS authentication server software in use on the 260 system, for example; `FNS-2.1'" 261 ::= {radiusAuthServ 1} 263 radiusAuthServUpTime OBJECT-TYPE 264 SYNTAX TimeTicks 265 MAX-ACCESS read-only 266 STATUS current 267 DESCRIPTION 268 "If the server has a persistent state (e.g., a 269 process), this value will be the time elapsed (in 270 hundredths of a second) since the server process 271 was started. For software without persistent state, 272 this value will be zero." 273 ::= {radiusAuthServ 2} 275 radiusAuthServResetTime OBJECT-TYPE 276 SYNTAX TimeTicks 277 MAX-ACCESS read-only 278 STATUS current 279 DESCRIPTION 280 "If the server has a persistent state (e.g., a process) 281 and supports a `reset' operation (e.g., can be told to 282 re-read configuration files), this value will be the 283 time elapsed (in hundredths of a second) since the 284 server was `reset.' For software that does not 285 have persistence or does not support a `reset' 286 operation, this value will be zero." 287 ::= {radiusAuthServ 3} 289 radiusAuthServConfigReset OBJECT-TYPE 290 SYNTAX INTEGER { other(1), 291 reset(2), 292 initializing(3), 293 running(4)} 294 MAX-ACCESS read-write 295 STATUS current 296 DESCRIPTION 297 "Status/action object to reinitialize any persistent 298 server state. When set to reset(2), any persistent 299 server state (such as a process) is reinitialized as 300 if the server had just been started. This value will 301 never be returned by a read operation. When read, 302 one of the following values will be returned: 303 other(1) - server in some unknown state; 304 initializing(3) - server (re)initializing; 305 running(4) - server currently running." 307 ::= {radiusAuthServ 4} 309 radiusAuthServTotalAccessRequests OBJECT-TYPE 310 SYNTAX Counter32 311 UNITS "packets" 312 MAX-ACCESS read-only 313 STATUS current 314 DESCRIPTION 315 "The number of packets received on the 316 authentication port." 317 REFERENCE "RFC 2865 section 4.1" 318 ::= { radiusAuthServ 5} 320 radiusAuthServTotalInvalidRequests OBJECT-TYPE 321 SYNTAX Counter32 322 UNITS "packets" 323 MAX-ACCESS read-only 324 STATUS current 325 DESCRIPTION 326 "The number of RADIUS Access-Request packets 327 received from unknown addresses." 328 REFERENCE "RFC 2865 section 4.1" 329 ::= { radiusAuthServ 6 } 331 radiusAuthServTotalDupAccessRequests OBJECT-TYPE 332 SYNTAX Counter32 333 UNITS "packets" 334 MAX-ACCESS read-only 335 STATUS current 336 DESCRIPTION 337 "The number of duplicate RADIUS Access-Request 338 packets received." 339 REFERENCE "RFC 2865 section 4.1" 340 ::= { radiusAuthServ 7 } 342 radiusAuthServTotalAccessAccepts OBJECT-TYPE 343 SYNTAX Counter32 344 UNITS "packets" 345 MAX-ACCESS read-only 346 STATUS current 347 DESCRIPTION 348 "The number of RADIUS Access-Accept packets sent." 349 REFERENCE "RFC 2865 section 4.2" 350 ::= { radiusAuthServ 8 } 352 radiusAuthServTotalAccessRejects OBJECT-TYPE 353 SYNTAX Counter32 354 UNITS "packets" 355 MAX-ACCESS read-only 356 STATUS current 357 DESCRIPTION 358 "The number of RADIUS Access-Reject packets sent." 359 REFERENCE "RFC 2865 section 4.3" 360 ::= { radiusAuthServ 9 } 362 radiusAuthServTotalAccessChallenges OBJECT-TYPE 363 SYNTAX Counter32 364 UNITS "packets" 365 MAX-ACCESS read-only 366 STATUS current 367 DESCRIPTION 368 "The number of RADIUS Access-Challenge packets sent." 369 REFERENCE "RFC 2865 section 4.4" 370 ::= { radiusAuthServ 10 } 372 radiusAuthServTotalMalformedAccessRequests OBJECT-TYPE 373 SYNTAX Counter32 374 UNITS "packets" 375 MAX-ACCESS read-only 376 STATUS current 377 DESCRIPTION 378 "The number of malformed RADIUS Access-Request 379 packets received. Bad authenticators 380 and unknown types are not included as 381 malformed Access-Requests." 382 REFERENCE "RFC 2865 section 4.1" 383 ::= { radiusAuthServ 11 } 385 radiusAuthServTotalBadAuthenticators OBJECT-TYPE 386 SYNTAX Counter32 387 UNITS "packets" 388 MAX-ACCESS read-only 389 STATUS current 390 DESCRIPTION 391 "The number of RADIUS Authentication-Request packets 392 which contained invalid Message Authenticator 393 attributes received." 394 REFERENCE "RFC 2865 section 3" 395 ::= { radiusAuthServ 12 } 397 radiusAuthServTotalPacketsDropped OBJECT-TYPE 398 SYNTAX Counter32 399 UNITS "packets" 400 MAX-ACCESS read-only 401 STATUS current 402 DESCRIPTION 403 "The number of incoming packets 404 silently discarded for some reason other 405 than malformed, bad authenticators or 406 unknown types." 407 REFERENCE "RFC 2865 section 3" 408 ::= { radiusAuthServ 13 } 410 radiusAuthServTotalUnknownTypes OBJECT-TYPE 411 SYNTAX Counter32 412 UNITS "packets" 413 MAX-ACCESS read-only 414 STATUS current 415 DESCRIPTION 416 "The number of RADIUS packets of unknown type which 417 were received." 418 REFERENCE "RFC 2865 section 4" 419 ::= { radiusAuthServ 14 } 421 radiusAuthClientTable OBJECT-TYPE 422 SYNTAX SEQUENCE OF RadiusAuthClientEntry 423 MAX-ACCESS not-accessible 424 STATUS deprecated 425 DESCRIPTION 426 "The (conceptual) table listing the RADIUS 427 authentication clients with which the server shares 428 a secret." 429 ::= { radiusAuthServ 15 } 431 radiusAuthClientEntry OBJECT-TYPE 432 SYNTAX RadiusAuthClientEntry 433 MAX-ACCESS not-accessible 434 STATUS deprecated 435 DESCRIPTION 436 "An entry (conceptual row) representing a RADIUS 437 authentication client with which the server shares a 438 secret." 439 INDEX { radiusAuthClientIndex } 440 ::= { radiusAuthClientTable 1 } 442 RadiusAuthClientEntry ::= SEQUENCE { 443 radiusAuthClientIndex Integer32, 444 radiusAuthClientAddress IpAddress, 445 radiusAuthClientID SnmpAdminString, 446 radiusAuthServAccessRequests Counter32, 447 radiusAuthServDupAccessRequests Counter32, 448 radiusAuthServAccessAccepts Counter32, 449 radiusAuthServAccessRejects Counter32, 450 radiusAuthServAccessChallenges Counter32, 451 radiusAuthServMalformedAccessRequests Counter32, 452 radiusAuthServBadAuthenticators Counter32, 453 radiusAuthServPacketsDropped Counter32, 454 radiusAuthServUnknownTypes Counter32 455 } 457 radiusAuthClientIndex OBJECT-TYPE 458 SYNTAX Integer32 (1..2147483647) 459 MAX-ACCESS not-accessible 460 STATUS deprecated 461 DESCRIPTION 462 "A number uniquely identifying each RADIUS 463 authentication client with which this server 464 communicates." 465 ::= { radiusAuthClientEntry 1 } 467 radiusAuthClientAddress OBJECT-TYPE 468 SYNTAX IpAddress 469 MAX-ACCESS read-only 470 STATUS deprecated 471 DESCRIPTION 472 "The NAS-IP-Address of the RADIUS authentication client 473 referred to in this table entry." 474 REFERENCE "RFC 2865 section 2" 475 ::= { radiusAuthClientEntry 2 } 477 radiusAuthClientID OBJECT-TYPE 478 SYNTAX SnmpAdminString 479 MAX-ACCESS read-only 480 STATUS deprecated 481 DESCRIPTION 482 "The NAS-Identifier of the RADIUS authentication client 483 referred to in this table entry. This is not 484 necessarily the same as sysName in MIB II." 485 REFERENCE "RFC 2865 section 5.32" 486 ::= { radiusAuthClientEntry 3 } 488 -- Server Counters 490 -- 491 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 492 -- 493 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 494 -- UnknownTypes - PacketsDropped - Responses = Pending 495 -- 496 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 497 -- UnknownTypes - PacketsDropped = entries logged 499 radiusAuthServAccessRequests OBJECT-TYPE 500 SYNTAX Counter32 501 UNITS "packets" 502 MAX-ACCESS read-only 503 STATUS deprecated 504 DESCRIPTION 505 "The number of packets received on the authentication 506 port from this client." 507 REFERENCE "RFC 2865 section 4.1" 508 ::= { radiusAuthClientEntry 4 } 510 radiusAuthServDupAccessRequests OBJECT-TYPE 511 SYNTAX Counter32 512 UNITS "packets" 513 MAX-ACCESS read-only 514 STATUS deprecated 515 DESCRIPTION 516 "The number of duplicate RADIUS Access-Request 517 packets received from this client." 518 REFERENCE "RFC 2865 section 4.1" 519 ::= { radiusAuthClientEntry 5 } 521 radiusAuthServAccessAccepts OBJECT-TYPE 522 SYNTAX Counter32 523 UNITS "packets" 524 MAX-ACCESS read-only 525 STATUS deprecated 526 DESCRIPTION 527 "The number of RADIUS Access-Accept packets 528 sent to this client." 529 REFERENCE "RFC 2865 section 4.2" 530 ::= { radiusAuthClientEntry 6 } 532 radiusAuthServAccessRejects OBJECT-TYPE 533 SYNTAX Counter32 534 UNITS "packets" 535 MAX-ACCESS read-only 536 STATUS deprecated 537 DESCRIPTION 538 "The number of RADIUS Access-Reject packets 539 sent to this client." 540 REFERENCE "RFC 2865 section 4.3" 541 ::= { radiusAuthClientEntry 7 } 543 radiusAuthServAccessChallenges OBJECT-TYPE 544 SYNTAX Counter32 545 UNITS "packets" 546 MAX-ACCESS read-only 547 STATUS deprecated 548 DESCRIPTION 549 "The number of RADIUS Access-Challenge packets 550 sent to this client." 551 REFERENCE "RFC 2865 section 4.4" 552 ::= { radiusAuthClientEntry 8 } 554 radiusAuthServMalformedAccessRequests OBJECT-TYPE 555 SYNTAX Counter32 556 UNITS "packets" 557 MAX-ACCESS read-only 558 STATUS deprecated 559 DESCRIPTION 560 "The number of malformed RADIUS Access-Request 561 packets received from this client. 562 Bad authenticators and unknown types are not included 563 as malformed Access-Requests." 564 REFERENCE "RFC 2865 section 3" 565 ::= { radiusAuthClientEntry 9 } 567 radiusAuthServBadAuthenticators OBJECT-TYPE 568 SYNTAX Counter32 569 UNITS "packets" 570 MAX-ACCESS read-only 571 STATUS deprecated 572 DESCRIPTION 573 "The number of RADIUS Authentication-Request packets 574 which contained invalid Message Authenticator 575 attributes received from this client." 576 REFERENCE "RFC 2865 section 3" 577 ::= { radiusAuthClientEntry 10 } 579 radiusAuthServPacketsDropped OBJECT-TYPE 580 SYNTAX Counter32 581 UNITS "packets" 582 MAX-ACCESS read-only 583 STATUS deprecated 584 DESCRIPTION 585 "The number of incoming packets from this 586 client silently discarded for some reason other 587 than malformed, bad authenticators or 588 unknown types." 589 REFERENCE "RFC 2865 section 3" 590 ::= { radiusAuthClientEntry 11 } 592 radiusAuthServUnknownTypes OBJECT-TYPE 593 SYNTAX Counter32 594 UNITS "packets" 595 MAX-ACCESS read-only 596 STATUS deprecated 597 DESCRIPTION 598 "The number of RADIUS packets of unknown type which 599 were received from this client." 600 REFERENCE "RFC 2865 section 4" 601 ::= { radiusAuthClientEntry 12 } 603 -- New MIB objects added in this revision 605 radiusAuthClientExtTable OBJECT-TYPE 606 SYNTAX SEQUENCE OF RadiusAuthClientExtEntry 607 MAX-ACCESS not-accessible 608 STATUS current 609 DESCRIPTION 610 "The (conceptual) table listing the RADIUS 611 authentication clients with which the server shares 612 a secret." 613 ::= { radiusAuthServ 16 } 615 radiusAuthClientExtEntry OBJECT-TYPE 616 SYNTAX RadiusAuthClientExtEntry 617 MAX-ACCESS not-accessible 618 STATUS current 619 DESCRIPTION 620 "An entry (conceptual row) representing a RADIUS 621 authentication client with which the server shares a 622 secret." 623 INDEX { radiusAuthClientExtIndex } 624 ::= { radiusAuthClientExtTable 1 } 626 RadiusAuthClientExtEntry ::= SEQUENCE { 627 radiusAuthClientExtIndex Integer32, 628 radiusAuthClientInetAddressType InetAddressType, 629 radiusAuthClientInetAddress InetAddress, 630 radiusAuthClientExtID SnmpAdminString, 631 radiusAuthServExtAccessRequests Counter32, 632 radiusAuthServExtDupAccessRequests Counter32, 633 radiusAuthServExtAccessAccepts Counter32, 634 radiusAuthServExtAccessRejects Counter32, 635 radiusAuthServExtAccessChallenges Counter32, 636 radiusAuthServExtMalformedAccessRequests Counter32, 637 radiusAuthServExtBadAuthenticators Counter32, 638 radiusAuthServExtPacketsDropped Counter32, 639 radiusAuthServExtUnknownTypes Counter32, 640 radiusAuthServCounterDiscontinuity TimeTicks 642 } 644 radiusAuthClientExtIndex OBJECT-TYPE 645 SYNTAX Integer32 (1..2147483647) 646 MAX-ACCESS not-accessible 647 STATUS current 648 DESCRIPTION 649 "A number uniquely identifying each RADIUS 650 authentication client with which this server 651 communicates." 652 ::= { radiusAuthClientExtEntry 1 } 654 radiusAuthClientInetAddressType OBJECT-TYPE 655 SYNTAX InetAddressType 656 MAX-ACCESS read-only 657 STATUS current 658 DESCRIPTION 659 "The type of address format used for the 660 radiusAuthClientInetAddress object." 661 ::= { radiusAuthClientExtEntry 2 } 663 radiusAuthClientInetAddress OBJECT-TYPE 664 SYNTAX InetAddress 665 MAX-ACCESS read-only 666 STATUS current 667 DESCRIPTION 668 "The IP address of the RADIUS authentication 669 client referred to in this table entry, using 670 the version neutral IP address format." 671 ::= { radiusAuthClientExtEntry 3 } 673 radiusAuthClientExtID OBJECT-TYPE 674 SYNTAX SnmpAdminString 675 MAX-ACCESS read-only 676 STATUS current 677 DESCRIPTION 678 "The NAS-Identifier of the RADIUS authentication client 679 referred to in this table entry. This is not 680 necessarily the same as sysName in MIB II." 681 REFERENCE "RFC 2865 section 5.32" 682 ::= { radiusAuthClientExtEntry 4 } 684 -- Server Counters 686 -- 687 -- Responses = AccessAccepts + AccessRejects + AccessChallenges 688 -- 689 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 690 -- UnknownTypes - PacketsDropped - Responses = Pending 691 -- 692 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 693 -- UnknownTypes - PacketsDropped = entries logged 695 radiusAuthServExtAccessRequests OBJECT-TYPE 696 SYNTAX Counter32 697 UNITS "packets" 698 MAX-ACCESS read-only 699 STATUS current 700 DESCRIPTION 701 "The number of packets received on the authentication 702 port from this client. This counter may experience a 703 discontinuity when the RADIUS Server module within the 704 managed entity is reinitialized, as indicated by the 705 current value of radiusAuthServCounterDiscontinuity." 706 REFERENCE "RFC 2865 section 4.1" 707 ::= { radiusAuthClientExtEntry 5 } 709 radiusAuthServExtDupAccessRequests OBJECT-TYPE 710 SYNTAX Counter32 711 UNITS "packets" 712 MAX-ACCESS read-only 713 STATUS current 714 DESCRIPTION 715 "The number of duplicate RADIUS Access-Request 716 packets received from this client. This counter may 717 experience a discontinuity when the RADIUS Server 718 module within the managed entity is reinitialized, as 719 indicated by the current value of 720 radiusAuthServCounterDiscontinuity." 721 REFERENCE "RFC 2865 section 4.1" 722 ::= { radiusAuthClientExtEntry 6 } 724 radiusAuthServExtAccessAccepts OBJECT-TYPE 725 SYNTAX Counter32 726 UNITS "packets" 727 MAX-ACCESS read-only 728 STATUS current 729 DESCRIPTION 730 "The number of RADIUS Access-Accept packets 731 sent to this client. This counter may experience a 732 discontinuity when the RADIUS Server module within the 733 managed entity is reinitialized, as indicated by the 734 current value of radiusAuthServCounterDiscontinuity." 735 REFERENCE "RFC 2865 section 4.2" 736 ::= { radiusAuthClientExtEntry 7 } 738 radiusAuthServExtAccessRejects OBJECT-TYPE 739 SYNTAX Counter32 740 UNITS "packets" 741 MAX-ACCESS read-only 742 STATUS current 743 DESCRIPTION 744 "The number of RADIUS Access-Reject packets 745 sent to this client. This counter may experience a 746 discontinuity when the RADIUS Server module within the 747 managed entity is reinitialized, as indicated by the 748 current value of radiusAuthServCounterDiscontinuity." 749 REFERENCE "RFC 2865 section 4.3" 750 ::= { radiusAuthClientExtEntry 8 } 752 radiusAuthServExtAccessChallenges OBJECT-TYPE 753 SYNTAX Counter32 754 UNITS "packets" 755 MAX-ACCESS read-only 756 STATUS current 757 DESCRIPTION 758 "The number of RADIUS Access-Challenge packets 759 sent to this client. This counter may experience a 760 discontinuity when the RADIUS Server module within the 761 managed entity is reinitialized, as indicated by the 762 current value of radiusAuthServCounterDiscontinuity." 763 REFERENCE "RFC 2865 section 4.4" 764 ::= { radiusAuthClientExtEntry 9 } 766 radiusAuthServExtMalformedAccessRequests OBJECT-TYPE 767 SYNTAX Counter32 768 UNITS "packets" 769 MAX-ACCESS read-only 770 STATUS current 771 DESCRIPTION 772 "The number of malformed RADIUS Access-Request 773 packets received from this client. Bad authenticators 774 and unknown types are not included as malformed 775 Access-Requests. This counter may experience a 776 discontinuity when the RADIUS Server module within the 777 managed entity is reinitialized, as indicated by the 778 current value of radiusAuthServCounterDiscontinuity." 779 REFERENCE "RFC 2865 sections 3, 4.1" 780 ::= { radiusAuthClientExtEntry 10 } 782 radiusAuthServExtBadAuthenticators OBJECT-TYPE 783 SYNTAX Counter32 784 UNITS "packets" 785 MAX-ACCESS read-only 786 STATUS current 787 DESCRIPTION 788 "The number of RADIUS Authentication-Request packets 789 which contained invalid Message Authenticator 790 attributes received from this client. This counter 791 may experience a discontinuity when the RADIUS Server 792 module within the managed entity is reinitialized, as 793 indicated by the current value of 794 radiusAuthServCounterDiscontinuity." 795 REFERENCE "RFC 2865 section 3" 796 ::= { radiusAuthClientExtEntry 11 } 798 radiusAuthServExtPacketsDropped OBJECT-TYPE 799 SYNTAX Counter32 800 UNITS "packets" 801 MAX-ACCESS read-only 802 STATUS current 803 DESCRIPTION 804 "The number of incoming packets from this client 805 silently discarded for some reason other than 806 malformed, bad authenticators or unknown types. 807 This counter may experience a discontinuity when the 808 RADIUS Server module within the managed entity is 809 reinitialized, as indicated by the current value of 810 radiusAuthServCounterDiscontinuity." 811 REFERENCE "RFC 2865 section 3" 812 ::= { radiusAuthClientExtEntry 12 } 814 radiusAuthServExtUnknownTypes OBJECT-TYPE 815 SYNTAX Counter32 816 UNITS "packets" 817 MAX-ACCESS read-only 818 STATUS current 819 DESCRIPTION 820 "The number of RADIUS packets of unknown type which 821 were received from this client. This counter may 822 experience a discontinuity when the RADIUS Server 823 module within the managed entity is reinitialized, as 824 indicated by the current value of 825 radiusAuthServCounterDiscontinuity." 826 REFERENCE "RFC 2865 section 4" 827 ::= { radiusAuthClientExtEntry 13 } 829 radiusAuthServCounterDiscontinuity OBJECT-TYPE 830 SYNTAX TimeTicks 831 UNITS "centiseconds" 832 MAX-ACCESS read-only 833 STATUS current 834 DESCRIPTION 835 "The number of centiseconds since the last 836 discontinuity in the RADIUS Server counters. 837 A discontinuity may be the result of a 838 reinitialization of the RADIUS Server module 839 within the managed entity." 840 ::= { radiusAuthClientExtEntry 14 } 842 -- conformance information 844 radiusAuthServMIBConformance OBJECT IDENTIFIER 845 ::= { radiusAuthServMIB 2 } 847 radiusAuthServMIBCompliances OBJECT IDENTIFIER 848 ::= { radiusAuthServMIBConformance 1 } 850 radiusAuthServMIBGroups OBJECT IDENTIFIER 851 ::= { radiusAuthServMIBConformance 2 } 853 -- compliance statements 855 radiusAuthServMIBCompliance MODULE-COMPLIANCE 856 STATUS deprecated 857 DESCRIPTION 858 "The compliance statement for authentication 859 servers implementing the RADIUS Authentication 860 Server MIB. Implementation of this module is for 861 IPv4-only entities, or for backwards compatibility 862 use with entities that support both IPv4 and 863 IPv6." 864 MODULE -- this module 865 MANDATORY-GROUPS { radiusAuthServMIBGroup } 867 OBJECT radiusAuthServConfigReset 868 WRITE-SYNTAX INTEGER { reset(2) } 869 DESCRIPTION "The only SETable value is 'reset' (2)." 871 ::= { radiusAuthServMIBCompliances 1 } 873 radiusAuthServMIBExtCompliance MODULE-COMPLIANCE 874 STATUS current 875 DESCRIPTION 876 "The compliance statement for authentication 877 servers implementing the RADIUS Authentication 878 Server IPv6 Extensions MIB. Implementation of 879 this module is for entities that support IPv6, 880 or support IPv4 and IPv6." 881 MODULE -- this module 882 MANDATORY-GROUPS { radiusAuthServExtMIBGroup } 884 OBJECT radiusAuthServConfigReset 885 WRITE-SYNTAX INTEGER { reset(2) } 886 DESCRIPTION "The only SETable value is 'reset' (2)." 888 OBJECT radiusAuthClientInetAddressType 889 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 890 DESCRIPTION 891 "An implementation is only required to support 892 IPv4 and globally unique IPv6 addresses." 894 OBJECT radiusAuthClientInetAddress 895 SYNTAX InetAddress ( SIZE (4|16) ) 896 DESCRIPTION 897 "An implementation is only required to support 898 IPv4 and globally unique IPv6 addresses." 900 ::= { radiusAuthServMIBCompliances 2 } 902 -- units of conformance 904 radiusAuthServMIBGroup OBJECT-GROUP 905 OBJECTS {radiusAuthServIdent, 906 radiusAuthServUpTime, 907 radiusAuthServResetTime, 908 radiusAuthServConfigReset, 909 radiusAuthServTotalAccessRequests, 910 radiusAuthServTotalInvalidRequests, 911 radiusAuthServTotalDupAccessRequests, 912 radiusAuthServTotalAccessAccepts, 913 radiusAuthServTotalAccessRejects, 914 radiusAuthServTotalAccessChallenges, 915 radiusAuthServTotalMalformedAccessRequests, 916 radiusAuthServTotalBadAuthenticators, 917 radiusAuthServTotalPacketsDropped, 918 radiusAuthServTotalUnknownTypes, 919 radiusAuthClientAddress, 920 radiusAuthClientID, 921 radiusAuthServAccessRequests, 922 radiusAuthServDupAccessRequests, 923 radiusAuthServAccessAccepts, 924 radiusAuthServAccessRejects, 925 radiusAuthServAccessChallenges, 926 radiusAuthServMalformedAccessRequests, 927 radiusAuthServBadAuthenticators, 928 radiusAuthServPacketsDropped, 929 radiusAuthServUnknownTypes 930 } 931 STATUS deprecated 932 DESCRIPTION 933 "The collection of objects providing management of 934 a RADIUS Authentication Server." 935 ::= { radiusAuthServMIBGroups 1 } 937 radiusAuthServExtMIBGroup OBJECT-GROUP 938 OBJECTS {radiusAuthServIdent, 939 radiusAuthServUpTime, 940 radiusAuthServResetTime, 941 radiusAuthServConfigReset, 942 radiusAuthServTotalAccessRequests, 943 radiusAuthServTotalInvalidRequests, 944 radiusAuthServTotalDupAccessRequests, 945 radiusAuthServTotalAccessAccepts, 946 radiusAuthServTotalAccessRejects, 947 radiusAuthServTotalAccessChallenges, 948 radiusAuthServTotalMalformedAccessRequests, 949 radiusAuthServTotalBadAuthenticators, 950 radiusAuthServTotalPacketsDropped, 951 radiusAuthServTotalUnknownTypes, 952 radiusAuthClientInetAddressType, 953 radiusAuthClientInetAddress, 954 radiusAuthClientExtID, 955 radiusAuthServExtAccessRequests, 956 radiusAuthServExtDupAccessRequests, 957 radiusAuthServExtAccessAccepts, 958 radiusAuthServExtAccessRejects, 959 radiusAuthServExtAccessChallenges, 960 radiusAuthServExtMalformedAccessRequests, 961 radiusAuthServExtBadAuthenticators, 962 radiusAuthServExtPacketsDropped, 963 radiusAuthServExtUnknownTypes, 964 radiusAuthServCounterDiscontinuity 965 } 966 STATUS current 967 DESCRIPTION 968 "The collection of objects providing management of 969 a RADIUS Authentication Server." 970 ::= { radiusAuthServMIBGroups 2 } 972 END 974 8. IANA Considerations 976 This document requires no new IANA assignments. 978 9. Security Considerations 980 There are a number of management objects defined in this MIB that 981 have a MAX-ACCESS clause of read-write and/or read-create. Such 982 objects may be considered sensitive or vulnerable in some network 983 environments. The support for SET operations in a non-secure 984 environment without proper protection can have a negative effect on 985 network operations. These are: 987 radiusAuthServConfigReset This object cab be used to reinitialize the 988 persistent state of any server. When set to reset(2), any 989 persistent server state (such as a process) is reinitialized as if 990 the server had just been started. Depending on the server 991 impelmentation details, this action may ot may not interrupt the 992 processing of pending request in the server. Abuse of this object 993 may lead to a Denial of Service attack on the server. 995 There are a number of managed objects in this MIB that may contain 996 sensitive information. These are: 998 radiusAuthClientIPAddress This can be used to determine the address 999 of the RADIUS authentication client with which the server is 1000 communicating. This information could be useful in mounting an 1001 attack on the authentication client. 1002 radiusAuthClientInetAddress This can be used to determine the address 1003 of the RADIUS authentication client with which the server is 1004 communicating. This information could be useful in mounting an 1005 attack on the authentication client. 1007 It is thus important to control even GET access to these objects and 1008 possibly to even encrypt the values of these object when sending them 1009 over the network via SNMP. Not all versions of SNMP provide features 1010 for such a secure environment. 1012 SNMP versions prior to SNMPv3 do not provide a secure environment. 1013 Even if the network itself is secure (for example by using IPsec), 1014 there is no control as to who on the secure network is allowed to 1015 access and GET/SET (read/change/create/delete) the objects in this 1016 MIB. 1018 It is RECOMMENDED that implementers consider the security features as 1019 provided by the SNMPv3 framework (see [RFC3410], section 8), 1020 including full support for the SNMPv3 cryptographic mechanisms (for 1021 authentication and privacy). 1023 Further, deployment of SNMP versions prior to SNMPv3 is NOT 1024 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 1025 enable cryptographic security. It is then a customer/operator 1026 responsibility to ensure that the SNMP entity giving access to an 1027 instance of this MIB module is properly configured to give access to 1028 the objects only to those principals (users) that have legitimate 1029 rights to indeed GET or SET (change/create/delete) them 1031 10. References 1033 10.1. Normative References 1035 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1036 Requirement Levels", BCP 14, RFC 2119, March 1997. 1038 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1039 Schoenwaelder, Ed., "Structure of Management Information 1040 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 1042 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 1043 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 1044 STD 58, RFC 2579, April 1999. 1046 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 1047 "Conformance Statements for SMIv2", STD 58, RFC 2580, 1048 April 1999. 1050 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1051 "Remote Authentication Dial In User Service (RADIUS)", 1052 RFC 2865, June 2000. 1054 10.2. Informative References 1056 [RFC2619] Zorn, G. and B. Aboba, "RADIUS Authentication Server MIB", 1057 RFC 2619, June 1999. 1059 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1060 "Introduction and Applicability Statements for Internet- 1061 Standard Management Framework", RFC 3410, December 2002. 1063 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1064 Schoenwaelder, "Textual Conventions for Internet Network 1065 Addresses", RFC 4001, February 2005. 1067 Appendix A. Acknowledgments 1069 The authors of the original MIB are Bernard Aboba and Glen Zorn. 1071 Many thanks to all reviewers, especially to David Harrington, Dan 1072 Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. 1074 Author's Address 1076 David B. Nelson 1077 Enterasys Networks 1078 50 Minuteman Road 1079 Andover, MA 01810 1080 USA 1082 Email: dnelson@enterasys.com 1084 Intellectual Property Statement 1086 The IETF takes no position regarding the validity or scope of any 1087 Intellectual Property Rights or other rights that might be claimed to 1088 pertain to the implementation or use of the technology described in 1089 this document or the extent to which any license under such rights 1090 might or might not be available; nor does it represent that it has 1091 made any independent effort to identify any such rights. Information 1092 on the procedures with respect to rights in RFC documents can be 1093 found in BCP 78 and BCP 79. 1095 Copies of IPR disclosures made to the IETF Secretariat and any 1096 assurances of licenses to be made available, or the result of an 1097 attempt made to obtain a general license or permission for the use of 1098 such proprietary rights by implementers or users of this 1099 specification can be obtained from the IETF on-line IPR repository at 1100 http://www.ietf.org/ipr. 1102 The IETF invites any interested party to bring to its attention any 1103 copyrights, patents or patent applications, or other proprietary 1104 rights that may cover technology that may be required to implement 1105 this standard. Please address the information to the IETF at 1106 ietf-ipr@ietf.org. 1108 Disclaimer of Validity 1110 This document and the information contained herein are provided on an 1111 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1112 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1113 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1114 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1115 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1116 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1118 Copyright Statement 1120 Copyright (C) The Internet Society (2006). This document is subject 1121 to the rights, licenses and restrictions contained in BCP 78, and 1122 except as set forth therein, the authors retain all their rights. 1124 Acknowledgment 1126 Funding for the RFC Editor function is currently provided by the 1127 Internet Society.