idnits 2.17.1 draft-ietf-radext-rfc2620bis-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 984. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 961. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 968. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 974. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 26, 2006) is 6513 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 2866 -- Obsolete informational reference (is this intentional?): RFC 2620 (Obsoleted by RFC 4670) Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2620 (if approved) June 26, 2006 5 Expires: December 28, 2006 7 RADIUS Accounting Client MIB for IPv6 8 draft-ietf-radext-rfc2620bis-04.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on December 28, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions, which instrument RADIUS 42 accounting client functions. These extensions represent a portion of 43 the Management Information Base (MIB) for use with network management 44 protocols in the Internet community. Using these extensions IP-based 45 management stations can manage RADIUS accounting clients. 47 This memo obsoletes RFC 2620 by deprecating the MIB table containing 48 IPv4-only address formats and defining a new table to add support for 49 version neutral IP address formats. The remaining MIB objects from 50 RFC 2620 are carried forward into this document. This memo also adds 51 UNITS and REFERENCE clauses to selected objects. 53 Table of Contents 55 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. The Internet-Standard Management Framework . . . . . . . . . . 3 58 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 59 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 60 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 5 61 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 63 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 64 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 65 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 66 10.2. Informative References . . . . . . . . . . . . . . . . . 21 67 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 69 Intellectual Property and Copyright Statements . . . . . . . . . . 23 71 1. Terminology 73 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 74 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 75 document are to be interpreted as described in RFC 2119 [RFC2119]. 77 This document uses terminology from RFC 2866 [RFC2866]. 79 This document uses the word "malformed" with respect to RADIUS 80 packets, particularly in the context of counters of "malformed 81 packets". While RFC 2866 does not provide an explicit definition of 82 "malformed", malformed generally means that the implementation has 83 determined the packet does not match the format defined in RFC 2866. 84 Those implementations are used in deployments today, and thus set the 85 de-facto definition of "malformed". 87 2. Introduction 89 This memo defines a portion of the Management Information Base (MIB) 90 for use with network management protocols in the Internet community. 91 The objects defined within this memo relate to the Remote 92 Authentication Dial-In User Service (RADIUS) Accounting Client as 93 defined in RFC 2866 [RFC2866]. 95 3. The Internet-Standard Management Framework 97 For a detailed overview of the documents that describe the current 98 Internet-Standard Management Framework, please refer to section 7 of 99 RFC 3410 [RFC3410]. 101 Managed objects are accessed via a virtual information store, termed 102 the Management Information Base or MIB. MIB objects are generally 103 accessed through the Simple Network Management Protocol (SNMP). 104 Objects in the MIB are defined using the mechanisms defined in the 105 Structure of Management Information (SMI). This memo specifies a MIB 106 module that is compliant to the SMIv2, which is described in STD 58, 107 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 108 [RFC2580]. 110 4. Scope of Changes 112 This document obsoletes RFC 2620 [RFC2620], RADIUS Authentication 113 Client MIB, by deprecating the radiusAuthServerTable table and adding 114 a new table, radiusAuthServerExtTable, containing 115 radiusAuthServerInetAddressType, radiusAuthServerInetAddress, and 116 radiusAuthClientServerInetPortNumber. The purpose of these added MIB 117 objects is to support version neutral IP addressing formats. The 118 existing table containing radiusAuthServerAddress and 119 radiusAuthClientServerPortNumber is deprecated. The remaining MIB 120 objects from RFC 2620 are carried forward into this document. 122 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 123 IPv6 addresses, contains the following recommendation. 125 'In particular, when revising a MIB module that contains IPv4 126 specific tables, it is suggested to define new tables using the 127 textual conventions defined in this memo [RFC4001] that support all 128 versions of IP. The status of the new tables SHOULD be "current", 129 whereas the status of the old IP version specific tables SHOULD be 130 changed to "deprecated". The other approach, of having multiple 131 similar tables for different IP versions, is strongly discouraged.' 133 5. Structure of the MIB Module 135 The RADIUS accounting protocol, described in RFC 2866 [RFC2866], 136 distinguishes between the client function and the server function. 137 In RADIUS accounting, clients send Accounting-Requests, and servers 138 reply with Accounting-Responses. Typically Network Access Server 139 (NAS) devices implement the client function, and thus would be 140 expected to implement the RADIUS accounting client MIB, while RADIUS 141 accounting servers implement the server function, and thus would be 142 expected to implement the RADIUS accounting server MIB. 144 However, it is possible for a RADIUS accounting entity to perform 145 both client and server functions. For example, a RADIUS proxy may 146 act as a server to one or more RADIUS accounting clients, while 147 simultaneously acting as an accounting client to one or more 148 accounting servers. In such situations, it is expected that RADIUS 149 entities combining client and server functionality will support both 150 the client and server MIBs. The client MIB is defined in this 151 document, and the server MIB is defined in [2621bis]. 153 RFC Editor: Replace the above I-D reference with the assigned RFC 154 number at the time of publication and delete this note. 156 This MIB module contains two scalars as well as a single table, the 157 RADIUS Accounting Server Table, which contains one row for each 158 RADIUS server with which the client shares a secret. Each entry in 159 the RADIUS Accounting Server Table includes fifteen columns 160 presenting a view of the activity of the RADIUS client. 162 6. Deprecated Objects 164 The deprecated table in this MIB is carried forward from RFC 2620 165 [RFC2620]. There are two conditions under which it MAY be desirable 166 for managed entities to continue to support the deprecated table: 168 1. The managed entity only supports IPv4 address formats. 169 2. The managed entity supports both IPv4 and IPv6 address formats, 170 and the deprecated table is supported for backwards compatibility 171 with older management stations. This option SHOULD only be used 172 when the IP addresses in the new table are in IPv4 format and can 173 accurately be represented in both the new table and the 174 deprecated table. 176 Managed entities SHOULD NOT instantiate row entries in the deprecated 177 table, containing IPv4-only address objects, when the RADIUS 178 accounting server address represented in such a table row is not an 179 IPv4 address. Managed entities SHOULD NOT return inaccurate values 180 of IP address or SNMP object access errors for IPv4-only address 181 objects in otherwise populated tables. When row entries exist in 182 both the deprecated IPv4-only table and the new IP version neutral 183 table that describe the same RADIUS accounting server, the row 184 indexes SHOULD be the same for the corresponding rows in each table, 185 to facilitate correlation of these related rows by management 186 applications. 188 7. Definitions 190 RADIUS-ACC-CLIENT-MIB DEFINITIONS ::= BEGIN 192 IMPORTS 193 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 194 Counter32, Integer32, Gauge32, 195 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 196 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 197 InetAddressType, InetAddress, 198 InetPortNumber FROM INET-ADDRESS-MIB 199 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 201 radiusAccClientMIB MODULE-IDENTITY 202 LAST-UPDATED "200605100000Z" -- 10 May 2006 203 ORGANIZATION "IETF RADIUS Extensions Working Group." 204 CONTACT-INFO 205 " Bernard Aboba 206 Microsoft 207 One Microsoft Way 208 Redmond, WA 98052 209 US 210 Phone: +1 425 936 6605 211 EMail: bernarda@microsoft.com" 212 DESCRIPTION 213 "The MIB module for entities implementing the client 214 side of the Remote Authentication Dial-In User Service 215 (RADIUS) accounting protocol.Copyright (C) The 216 Internet Society (2006). This version of this MIB 217 module is part of RFC xxxx; see the RFC itself for 218 full legal notices." 220 -- RFC Editor: replace xxxx with actual RFC number at the time of 221 -- publication, and remove this note. 223 REVISION "200605100000Z" -- 10 May 2006 224 DESCRIPTION 225 "Revised version as published in RFC xxxx. 226 This version obsoletes that of RFC 2620 by 227 deprecating the MIB table containing IPv4-only 228 address formats and defining a new table to add support 229 for version neutral IP address formats. The remaining 230 MIB objects from RFC 2620 are carried forward into this 231 version." 233 -- RFC Editor: replace xxxx with actual RFC number at the time of 234 -- publication, and remove this note. 236 REVISION "199906110000Z" -- 11 Jun 1999 237 DESCRIPTION "Initial version as published in RFC 2620." 239 ::= { radiusAccounting 2 } 241 radiusMIB OBJECT-IDENTITY 242 STATUS current 243 DESCRIPTION 244 "The OID assigned to RADIUS MIB work by the IANA." 245 ::= { mib-2 67 } 247 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} 249 radiusAccClientMIBObjects OBJECT IDENTIFIER 250 ::= { radiusAccClientMIB 1 } 252 radiusAccClient OBJECT IDENTIFIER 253 ::= { radiusAccClientMIBObjects 1 } 255 radiusAccClientInvalidServerAddresses OBJECT-TYPE 256 SYNTAX Counter32 257 UNITS "packets" 258 MAX-ACCESS read-only 259 STATUS current 260 DESCRIPTION 261 "The number of RADIUS Accounting-Response packets 262 received from unknown addresses." 263 ::= { radiusAccClient 1 } 265 radiusAccClientIdentifier OBJECT-TYPE 266 SYNTAX SnmpAdminString 267 MAX-ACCESS read-only 268 STATUS current 269 DESCRIPTION 270 "The NAS-Identifier of the RADIUS accounting client. 271 This is not necessarily the same as sysName in MIB 272 II." 273 REFERENCE "RFC 2865 section 5.32" 274 ::= { radiusAccClient 2 } 276 radiusAccServerTable OBJECT-TYPE 277 SYNTAX SEQUENCE OF RadiusAccServerEntry 278 MAX-ACCESS not-accessible 279 STATUS deprecated 280 DESCRIPTION 281 "The (conceptual) table listing the RADIUS accounting 282 servers with which the client shares a secret." 283 ::= { radiusAccClient 3 } 285 radiusAccServerEntry OBJECT-TYPE 286 SYNTAX RadiusAccServerEntry 287 MAX-ACCESS not-accessible 288 STATUS deprecated 289 DESCRIPTION 290 "An entry (conceptual row) representing a RADIUS 291 accounting server with which the client shares a 292 secret." 293 INDEX { radiusAccServerIndex } 294 ::= { radiusAccServerTable 1 } 296 RadiusAccServerEntry ::= SEQUENCE { 297 radiusAccServerIndex Integer32, 298 radiusAccServerAddress IpAddress, 299 radiusAccClientServerPortNumber Integer32, 300 radiusAccClientRoundTripTime TimeTicks, 301 radiusAccClientRequests Counter32, 302 radiusAccClientRetransmissions Counter32, 303 radiusAccClientResponses Counter32, 304 radiusAccClientMalformedResponses Counter32, 305 radiusAccClientBadAuthenticators Counter32, 306 radiusAccClientPendingRequests Gauge32, 307 radiusAccClientTimeouts Counter32, 308 radiusAccClientUnknownTypes Counter32, 309 radiusAccClientPacketsDropped Counter32 310 } 312 radiusAccServerIndex OBJECT-TYPE 313 SYNTAX Integer32 (1..2147483647) 314 MAX-ACCESS not-accessible 315 STATUS deprecated 316 DESCRIPTION 317 "A number uniquely identifying each RADIUS 318 Accounting server with which this client 319 communicates." 320 ::= { radiusAccServerEntry 1 } 322 radiusAccServerAddress OBJECT-TYPE 323 SYNTAX IpAddress 324 MAX-ACCESS read-only 325 STATUS deprecated 326 DESCRIPTION 327 "The IP address of the RADIUS accounting server 328 referred to in this table entry." 329 ::= { radiusAccServerEntry 2 } 331 radiusAccClientServerPortNumber OBJECT-TYPE 332 SYNTAX Integer32 (0..65535) 333 MAX-ACCESS read-only 334 STATUS deprecated 335 DESCRIPTION 336 "The UDP port the client is using to send requests to 337 this server." 338 REFERENCE "RFC 2866 section 3" 339 ::= { radiusAccServerEntry 3 } 341 radiusAccClientRoundTripTime OBJECT-TYPE 342 SYNTAX TimeTicks 343 MAX-ACCESS read-only 344 STATUS deprecated 345 DESCRIPTION 346 "The time interval between the most recent 347 Accounting-Response and the Accounting-Request that 348 matched it from this RADIUS accounting server." 349 REFERENCE "RFC 2866 section 2" 350 ::= { radiusAccServerEntry 4 } 352 -- Request/Response statistics 353 -- 354 -- Requests = Responses + PendingRequests + ClientTimeouts 355 -- 356 -- Responses - MalformedResponses - BadAuthenticators - 357 -- UnknownTypes - PacketsDropped = Successfully received 359 radiusAccClientRequests OBJECT-TYPE 360 SYNTAX Counter32 361 UNITS "packets" 362 MAX-ACCESS read-only 363 STATUS deprecated 364 DESCRIPTION 365 "The number of RADIUS Accounting-Request packets 366 sent. This does not include retransmissions." 367 REFERENCE "RFC 2866 section 4.1" 368 ::= { radiusAccServerEntry 5 } 370 radiusAccClientRetransmissions OBJECT-TYPE 371 SYNTAX Counter32 372 UNITS "packets" 373 MAX-ACCESS read-only 374 STATUS deprecated 375 DESCRIPTION 376 "The number of RADIUS Accounting-Request packets 377 retransmitted to this RADIUS accounting server. 378 Retransmissions include retries where the 379 Identifier and Acct-Delay have been updated, as 380 well as those in which they remain the same." 381 REFERENCE "RFC 2866 section 2" 382 ::= { radiusAccServerEntry 6 } 384 radiusAccClientResponses OBJECT-TYPE 385 SYNTAX Counter32 386 UNITS "packets" 387 MAX-ACCESS read-only 388 STATUS deprecated 389 DESCRIPTION 390 "The number of RADIUS packets received on the 391 accounting port from this server." 392 REFERENCE "RFC 2866 section 4.2" 393 ::= { radiusAccServerEntry 7 } 395 radiusAccClientMalformedResponses OBJECT-TYPE 396 SYNTAX Counter32 397 UNITS "packets" 398 MAX-ACCESS read-only 399 STATUS deprecated 400 DESCRIPTION 401 "The number of malformed RADIUS Accounting-Response 402 packets received from this server. Malformed packets 403 include packets with an invalid length. Bad 404 authenticators and unknown types are not included as 405 malformed accounting responses." 406 REFERENCE "RFC 2866 section 3" 407 ::= { radiusAccServerEntry 8 } 409 radiusAccClientBadAuthenticators OBJECT-TYPE 410 SYNTAX Counter32 411 UNITS "packets" 412 MAX-ACCESS read-only 413 STATUS deprecated 414 DESCRIPTION 415 "The number of RADIUS Accounting-Response 416 packets which contained invalid authenticators 417 received from this server." 418 REFERENCE "RFC 2866 section 3" 419 ::= { radiusAccServerEntry 9 } 421 radiusAccClientPendingRequests OBJECT-TYPE 422 SYNTAX Gauge32 423 UNITS "packets" 424 MAX-ACCESS read-only 425 STATUS deprecated 426 DESCRIPTION 427 "The number of RADIUS Accounting-Request packets 428 sent to this server that have not yet timed out or 429 received a response. This variable is incremented 430 when an Accounting-Request is sent and decremented 431 due to receipt of an Accounting-Response, a timeout 432 or a retransmission." 433 REFERENCE "RFC 2866 section 2" 434 ::= { radiusAccServerEntry 10 } 436 radiusAccClientTimeouts OBJECT-TYPE 437 SYNTAX Counter32 438 UNITS "timeouts" 439 MAX-ACCESS read-only 440 STATUS deprecated 441 DESCRIPTION 442 "The number of accounting timeouts to this server. 443 After a timeout the client may retry to the same 444 server, send to a different server, or give up. 445 A retry to the same server is counted as a 446 retransmit as well as a timeout. A send to a different 447 server is counted as an Accounting-Request as well as 448 a timeout." 449 REFERENCE "RFC 2866 section 2" 450 ::= { radiusAccServerEntry 11 } 452 radiusAccClientUnknownTypes OBJECT-TYPE 453 SYNTAX Counter32 454 UNITS "packets" 455 MAX-ACCESS read-only 456 STATUS deprecated 457 DESCRIPTION 458 "The number of RADIUS packets of unknown type which 459 were received from this server on the accounting port." 460 REFERENCE "RFC 2866 section 4" 461 ::= { radiusAccServerEntry 12 } 463 radiusAccClientPacketsDropped OBJECT-TYPE 464 SYNTAX Counter32 465 UNITS "packets" 466 MAX-ACCESS read-only 467 STATUS deprecated 468 DESCRIPTION 469 "The number of RADIUS packets which were received from 470 this server on the accounting port and dropped for some 471 other reason." 472 ::= { radiusAccServerEntry 13 } 474 -- New MIB objects added in this revision 476 radiusAccServerExtTable OBJECT-TYPE 477 SYNTAX SEQUENCE OF RadiusAccServerExtEntry 478 MAX-ACCESS not-accessible 479 STATUS current 480 DESCRIPTION 481 "The (conceptual) table listing the RADIUS accounting 482 servers with which the client shares a secret." 483 ::= { radiusAccClient 4 } 485 radiusAccServerExtEntry OBJECT-TYPE 486 SYNTAX RadiusAccServerExtEntry 487 MAX-ACCESS not-accessible 488 STATUS current 489 DESCRIPTION 490 "An entry (conceptual row) representing a RADIUS 491 accounting server with which the client shares a 492 secret." 493 INDEX { radiusAccServerExtIndex } 494 ::= { radiusAccServerExtTable 1 } 496 RadiusAccServerExtEntry ::= SEQUENCE { 497 radiusAccServerExtIndex Integer32, 498 radiusAccServerInetAddressType InetAddressType, 499 radiusAccServerInetAddress InetAddress, 500 radiusAccClientServerInetPortNumber InetPortNumber, 501 radiusAccClientExtRoundTripTime TimeTicks, 502 radiusAccClientExtRequests Counter32, 503 radiusAccClientExtRetransmissions Counter32, 504 radiusAccClientExtResponses Counter32, 505 radiusAccClientExtMalformedResponses Counter32, 506 radiusAccClientExtBadAuthenticators Counter32, 507 radiusAccClientExtPendingRequests Gauge32, 508 radiusAccClientExtTimeouts Counter32, 509 radiusAccClientExtUnknownTypes Counter32, 510 radiusAccClientExtPacketsDropped Counter32, 511 radiusAccClientCounterDiscontinuity TimeTicks 512 } 514 radiusAccServerExtIndex OBJECT-TYPE 515 SYNTAX Integer32 (1..2147483647) 516 MAX-ACCESS not-accessible 517 STATUS current 518 DESCRIPTION 519 "A number uniquely identifying each RADIUS 520 Accounting server with which this client 521 communicates." 522 ::= { radiusAccServerExtEntry 1 } 524 radiusAccServerInetAddressType OBJECT-TYPE 525 SYNTAX InetAddressType 526 MAX-ACCESS read-only 527 STATUS current 528 DESCRIPTION 529 "The type of address format used for the 530 radiusAccServerInetAddress object." 531 ::= { radiusAccServerExtEntry 2 } 533 radiusAccServerInetAddress OBJECT-TYPE 534 SYNTAX InetAddress 535 MAX-ACCESS read-only 536 STATUS current 537 DESCRIPTION 538 "The IP address of the RADIUS accounting 539 server referred to in this table entry, using 540 the version neutral IP address format." 541 ::= { radiusAccServerExtEntry 3 } 543 radiusAccClientServerInetPortNumber OBJECT-TYPE 544 SYNTAX InetPortNumber ( 1..65535 ) 545 MAX-ACCESS read-only 546 STATUS current 547 DESCRIPTION 548 "The UDP port the client is using to send requests 549 to this accounting server. The value zero (0) is 550 invalid." 551 REFERENCE "RFC 2866 section 3" 552 ::= { radiusAccServerExtEntry 4 } 554 radiusAccClientExtRoundTripTime OBJECT-TYPE 555 SYNTAX TimeTicks 556 MAX-ACCESS read-only 557 STATUS current 558 DESCRIPTION 559 "The time interval between the most recent 560 Accounting-Response and the Accounting-Request that 561 matched it from this RADIUS accounting server." 562 REFERENCE "RFC 2866 section 2" 563 ::= { radiusAccServerExtEntry 5 } 565 -- Request/Response statistics 566 -- 567 -- Requests = Responses + PendingRequests + ClientTimeouts 568 -- 569 -- Responses - MalformedResponses - BadAuthenticators - 570 -- UnknownTypes - PacketsDropped = Successfully received 572 radiusAccClientExtRequests OBJECT-TYPE 573 SYNTAX Counter32 574 UNITS "packets" 575 MAX-ACCESS read-only 576 STATUS current 577 DESCRIPTION 578 "The number of RADIUS Accounting-Request packets 579 sent. This does not include retransmissions. 580 This counter may experience a discontinuity when the 581 RADIUS Accounting Client module within the managed 582 entity is reinitialized, as indicated by the current 583 value of radiusAccClientCounterDiscontinuity." 584 REFERENCE "RFC 2866 section 4.1" 585 ::= { radiusAccServerExtEntry 6 } 587 radiusAccClientExtRetransmissions OBJECT-TYPE 588 SYNTAX Counter32 589 UNITS "packets" 590 MAX-ACCESS read-only 591 STATUS current 592 DESCRIPTION 593 "The number of RADIUS Accounting-Request packets 594 retransmitted to this RADIUS accounting server. 595 Retransmissions include retries where the 596 Identifier and Acct-Delay have been updated, as 597 well as those in which they remain the same. 598 This counter may experience a discontinuity when the 599 RADIUS Accounting Client module within the managed 600 entity is reinitialized, as indicated by the current 601 value of radiusAccClientCounterDiscontinuity." 602 REFERENCE "RFC 2866 section 2" 603 ::= { radiusAccServerExtEntry 7 } 605 radiusAccClientExtResponses OBJECT-TYPE 606 SYNTAX Counter32 607 UNITS "packets" 608 MAX-ACCESS read-only 609 STATUS current 610 DESCRIPTION 611 "The number of RADIUS packets received on the 612 accounting port from this server. This counter 613 may experience a discontinuity when the RADIUS 614 Accounting Client module within the managed entity is 615 reinitialized, as indicated by the current value of 616 radiusAccClientCounterDiscontinuity." 617 REFERENCE "RFC 2866 section 4.2" 618 ::= { radiusAccServerExtEntry 8 } 620 radiusAccClientExtMalformedResponses OBJECT-TYPE 621 SYNTAX Counter32 622 UNITS "packets" 623 MAX-ACCESS read-only 624 STATUS current 625 DESCRIPTION 626 "The number of malformed RADIUS Accounting-Response 627 packets received from this server. Malformed packets 628 include packets with an invalid length. Bad 629 authenticators and unknown types are not included as 630 malformed accounting responses. This counter may 631 experience a discontinuity when the RADIUS Accounting 632 Client module within the managed entity is 633 reinitialized, as indicated by the current 634 value of radiusAccClientCounterDiscontinuity." 635 REFERENCE "RFC 2866 section 3" 636 ::= { radiusAccServerExtEntry 9 } 638 radiusAccClientExtBadAuthenticators OBJECT-TYPE 639 SYNTAX Counter32 640 UNITS "packets" 641 MAX-ACCESS read-only 642 STATUS current 643 DESCRIPTION 644 "The number of RADIUS Accounting-Response 645 packets which contained invalid authenticators 646 received from this server. This counter may 647 experience a discontinuity when the RADIUS 648 Accounting Client module within the managed 649 entity is reinitialized, as indicated by the 650 current value of 651 radiusAccClientCounterDiscontinuity." 652 REFERENCE "RFC 2866 section 3" 653 ::= { radiusAccServerExtEntry 10 } 655 radiusAccClientExtPendingRequests OBJECT-TYPE 656 SYNTAX Gauge32 657 UNITS "packets" 658 MAX-ACCESS read-only 659 STATUS current 660 DESCRIPTION 661 "The number of RADIUS Accounting-Request packets 662 sent to this server that have not yet timed out or 663 received a response. This variable is incremented 664 when an Accounting-Request is sent and decremented 665 due to receipt of an Accounting-Response, a timeout 666 or a retransmission. This counter may experience a 667 discontinuity when the RADIUS Accounting Client module 668 within the managed entity is reinitialized, as 669 indicated by the current value of 670 radiusAccClientCounterDiscontinuity." 671 REFERENCE "RFC 2866 section 2" 672 ::= { radiusAccServerExtEntry 11 } 674 radiusAccClientExtTimeouts OBJECT-TYPE 675 SYNTAX Counter32 676 UNITS "timeouts" 677 MAX-ACCESS read-only 678 STATUS current 679 DESCRIPTION 680 "The number of accounting timeouts to this server. 681 After a timeout the client may retry to the same 682 server, send to a different server, or give up. 683 A retry to the same server is counted as a 684 retransmit as well as a timeout. A send to a different 685 server is counted as an Accounting-Request as well as 686 a timeout. This counter may experience a discontinuity 687 when the RADIUS Accounting Client module within the 688 managed entity is reinitialized, as indicated by the 689 current value of radiusAccClientCounterDiscontinuity." 690 REFERENCE "RFC 2866 section 2" 691 ::= { radiusAccServerExtEntry 12 } 693 radiusAccClientExtUnknownTypes OBJECT-TYPE 694 SYNTAX Counter32 695 UNITS "packets" 696 MAX-ACCESS read-only 697 STATUS current 698 DESCRIPTION 699 "The number of RADIUS packets of unknown type which 700 were received from this server on the accounting port. 701 This counter may experience a discontinuity when the 702 RADIUS Accounting Client module within the managed 703 entity is reinitialized, as indicated by the current 704 value of radiusAccClientCounterDiscontinuity." 705 REFERENCE "RFC 2866 section 4" 706 ::= { radiusAccServerExtEntry 13 } 708 radiusAccClientExtPacketsDropped OBJECT-TYPE 709 SYNTAX Counter32 710 UNITS "packets" 711 MAX-ACCESS read-only 712 STATUS current 713 DESCRIPTION 714 "The number of RADIUS packets which were received from 715 this server on the accounting port and dropped for some 716 other reason. This counter may experience a 717 discontinuity when the RADIUS Accounting Client module 718 within the managed entity is reinitialized, as indicated 719 by the current value of 720 radiusAccClientCounterDiscontinuity." 721 ::= { radiusAccServerExtEntry 14 } 723 radiusAccClientCounterDiscontinuity OBJECT-TYPE 724 SYNTAX TimeTicks 725 UNITS "centiseconds" 726 MAX-ACCESS read-only 727 STATUS current 728 DESCRIPTION 729 "The number of centiseconds since the last 730 discontinuity in the RADIUS Accounting Client 731 counters. A discontinuity may be the result of a 732 reinitialization of the RADIUS Accounting Client 733 module within the managed entity." 735 ::= { radiusAccServerExtEntry 15 } 737 -- conformance information 739 radiusAccClientMIBConformance OBJECT IDENTIFIER 740 ::= { radiusAccClientMIB 2 } 742 radiusAccClientMIBCompliances OBJECT IDENTIFIER 743 ::= { radiusAccClientMIBConformance 1 } 745 radiusAccClientMIBGroups OBJECT IDENTIFIER 746 ::= { radiusAccClientMIBConformance 2 } 748 -- units of conformance 750 radiusAccClientMIBCompliance MODULE-COMPLIANCE 751 STATUS deprecated 752 DESCRIPTION 753 "The compliance statement for accounting clients 754 implementing the RADIUS Accounting Client MIB. 755 Implementation of this module is for IPv4-only 756 entities, or for backwards compatibility use with 757 entities that support both IPv4 and IPv6." 758 MODULE -- this module 759 MANDATORY-GROUPS { radiusAccClientMIBGroup } 761 ::= { radiusAccClientMIBCompliances 1 } 763 radiusAccClientExtMIBCompliance MODULE-COMPLIANCE 764 STATUS current 765 DESCRIPTION 766 "The compliance statement for accounting 767 clients implementing the RADIUS Accounting 768 Client IPv6 Extensions MIB. Implementation of 769 this module is for entities that support IPv6, 770 or support IPv4 and IPv6." 771 MODULE -- this module 772 MANDATORY-GROUPS { radiusAccClientExtMIBGroup } 774 OBJECT radiusAccServerInetAddressType 775 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 776 DESCRIPTION 777 "An implementation is only required to support 778 IPv4 and globally unique IPv6 addresses." 780 OBJECT radiusAccServerInetAddress 781 SYNTAX InetAddress ( SIZE (4|16) ) 782 DESCRIPTION 783 "An implementation is only required to support 784 IPv4 and globally unique IPv6 addresses." 786 ::= { radiusAccClientMIBCompliances 2 } 788 -- units of conformance 790 radiusAccClientMIBGroup OBJECT-GROUP 791 OBJECTS { radiusAccClientIdentifier, 792 radiusAccClientInvalidServerAddresses, 793 radiusAccServerAddress, 794 radiusAccClientServerPortNumber, 795 radiusAccClientRoundTripTime, 796 radiusAccClientRequests, 797 radiusAccClientRetransmissions, 798 radiusAccClientResponses, 799 radiusAccClientMalformedResponses, 800 radiusAccClientBadAuthenticators, 801 radiusAccClientPendingRequests, 802 radiusAccClientTimeouts, 803 radiusAccClientUnknownTypes, 804 radiusAccClientPacketsDropped 805 } 806 STATUS deprecated 807 DESCRIPTION 808 "The basic collection of objects providing management of 809 RADIUS Accounting Clients." 810 ::= { radiusAccClientMIBGroups 1 } 812 radiusAccClientExtMIBGroup OBJECT-GROUP 813 OBJECTS { radiusAccClientIdentifier, 814 radiusAccClientInvalidServerAddresses, 815 radiusAccServerInetAddressType, 816 radiusAccServerInetAddress, 817 radiusAccClientServerInetPortNumber, 818 radiusAccClientExtRoundTripTime, 819 radiusAccClientExtRequests, 820 radiusAccClientExtRetransmissions, 821 radiusAccClientExtResponses, 822 radiusAccClientExtMalformedResponses, 823 radiusAccClientExtBadAuthenticators, 824 radiusAccClientExtPendingRequests, 825 radiusAccClientExtTimeouts, 826 radiusAccClientExtUnknownTypes, 827 radiusAccClientExtPacketsDropped, 828 radiusAccClientCounterDiscontinuity 829 } 830 STATUS current 831 DESCRIPTION 832 "The basic collection of objects providing management of 833 RADIUS Accounting Clients." 834 ::= { radiusAccClientMIBGroups 2 } 836 END 838 8. IANA Considerations 840 This document requires no new IANA assignments. 842 9. Security Considerations 844 There are no management objects defined in this MIB that have a MAX- 845 ACCESS clause of read-write and/or read-create. So, if this MIB is 846 implemented correctly, then there is no risk that an intruder can 847 alter or create any management objects of this MIB via direct SNMP 848 SET operations. 850 There are a number of managed objects in this MIB that may contain 851 sensitive information. These are: 853 radiusAcctServerIPAddress This can be used to determine the address 854 of the RADIUS accounting server with which the client is 855 communicating. This information could be useful in mounting an 856 attack on the accounting server. 858 radiusAcctServerInetAddress This can be used to determine the address 859 of the RADIUS accounting server with which the client is 860 communicating. This information could be useful in mounting an 861 attack on the accounting server. 863 radiusAcctClientServerPortNumber This can be used to determine the 864 port number on which the RADIUS accounting client is sending. 865 This information could be useful in impersonating the client in 866 order to send data to the accounting server. 868 radiusAcctClientServerInetPortNumber This can be used to determine 869 the port number on which the RADIUS accounting client is sending. 870 This information could be useful in impersonating the client in 871 order to send data to the accounting server. 873 It is thus important to control even GET access to these objects and 874 possibly to even encrypt the values of these object when sending them 875 over the network via SNMP. Not all versions of SNMP provide features 876 for such a secure environment. 878 SNMP versions prior to SNMPv3 do not provide a secure environment. 879 Even if the network itself is secure (for example by using IPsec), 880 there is no control as to who on the secure network is allowed to 881 access and GET/SET (read/change/create/delete) the objects in this 882 MIB. 884 It is RECOMMENDED that implementers consider the security features as 885 provided by the SNMPv3 framework (see [RFC3410], section 8), 886 including full support for the SNMPv3 cryptographic mechanisms (for 887 authentication and privacy). 889 Further, deployment of SNMP versions prior to SNMPv3 is NOT 890 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 891 enable cryptographic security. It is then a customer/operator 892 responsibility to ensure that the SNMP entity giving access to an 893 instance of this MIB module is properly configured to give access to 894 the objects only to those principals (users) that have legitimate 895 rights to indeed GET or SET (change/create/delete) them. 897 10. References 899 10.1. Normative References 901 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 902 Requirement Levels", BCP 14, RFC 2119, March 1997. 904 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 905 Schoenwaelder, Ed., "Structure of Management Information 906 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 908 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 909 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 910 STD 58, RFC 2579, April 1999. 912 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 913 "Conformance Statements for SMIv2", STD 58, RFC 2580, 914 April 1999. 916 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 918 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 919 Schoenwaelder, "Textual Conventions for Internet Network 920 Addresses", RFC 4001, February 2005. 922 10.2. Informative References 924 [2621bis] Nelson, D., "RADIUS Accounting Server MIB for IPv6", 925 draft-ietf-radext-rfc2621bis-04.txt (work in progress), 926 June 2006. 928 [RFC2620] Aboba, B. and G. Zorn, "RADIUS Accounting Client MIB", 929 RFC 2620, June 1999. 931 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 932 "Introduction and Applicability Statements for Internet- 933 Standard Management Framework", RFC 3410, December 2002. 935 Appendix A. Acknowledgments 937 The authors of the original MIB are Bernard Aboba and Glen Zorn. 939 Many thanks to all reviewers, especially to Dave Harrington, Dan 940 Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. 942 Author's Address 944 David B. Nelson 945 Enterasys Networks 946 50 Minuteman Road 947 Andover, MA 01810 948 USA 950 Email: dnelson@enterasys.com 952 Intellectual Property Statement 954 The IETF takes no position regarding the validity or scope of any 955 Intellectual Property Rights or other rights that might be claimed to 956 pertain to the implementation or use of the technology described in 957 this document or the extent to which any license under such rights 958 might or might not be available; nor does it represent that it has 959 made any independent effort to identify any such rights. Information 960 on the procedures with respect to rights in RFC documents can be 961 found in BCP 78 and BCP 79. 963 Copies of IPR disclosures made to the IETF Secretariat and any 964 assurances of licenses to be made available, or the result of an 965 attempt made to obtain a general license or permission for the use of 966 such proprietary rights by implementers or users of this 967 specification can be obtained from the IETF on-line IPR repository at 968 http://www.ietf.org/ipr. 970 The IETF invites any interested party to bring to its attention any 971 copyrights, patents or patent applications, or other proprietary 972 rights that may cover technology that may be required to implement 973 this standard. Please address the information to the IETF at 974 ietf-ipr@ietf.org. 976 Disclaimer of Validity 978 This document and the information contained herein are provided on an 979 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 980 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 981 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 982 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 983 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 984 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 986 Copyright Statement 988 Copyright (C) The Internet Society (2006). This document is subject 989 to the rights, licenses and restrictions contained in BCP 78, and 990 except as set forth therein, the authors retain all their rights. 992 Acknowledgment 994 Funding for the RFC Editor function is currently provided by the 995 Internet Society.