idnits 2.17.1 draft-ietf-radext-rfc2621bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1014. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 991. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 998. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1004. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 25, 2006) is 6656 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 4001' is mentioned on line 127, but not defined == Unused Reference: 'RFC2574' is defined on line 917, but no explicit reference was found in the text == Unused Reference: 'RFC2575' is defined on line 921, but no explicit reference was found in the text == Unused Reference: 'RFC3411' is defined on line 943, but no explicit reference was found in the text == Unused Reference: 'RFC3418' is defined on line 948, but no explicit reference was found in the text == Unused Reference: 'RFC2865' is defined on line 961, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2574 (Obsoleted by RFC 3414) ** Obsolete normative reference: RFC 2575 (Obsoleted by RFC 3415) ** Downref: Normative reference to an Informational RFC: RFC 2866 ** Downref: Normative reference to an Informational RFC: RFC 3410 -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 7 errors (**), 0 flaws (~~), 10 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2621 (if approved) January 25, 2006 5 Expires: July 29, 2006 7 RADIUS Acct Server MIB (IPv6) 8 draft-ietf-radext-rfc2621bis-02.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on July 29, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions which instrument RADIUS 42 accounting server functions. These extensions represent a portion of 43 the Management Information Base (MIB) for use with network management 44 protocols in the Internet community. Using these extensions IP-based 45 management stations can manage RADIUS accounting servers. 47 This memo obsoletes RFC 2621 by deprecating the MIB table containing 48 IPv4-only address formats and defining a new table to add support for 49 version neutral IP address formats. The remaining MIB objects from 50 RFC 2621 are carried forward into this document. This memo also adds 51 UNITS and REFERENCE clauses to selected objects. 53 Table of Contents 55 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. The Internet-Standard Management Framework . . . . . . . . . . 3 58 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 59 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 60 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 61 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 63 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 64 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 65 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 66 10.2. Informative References . . . . . . . . . . . . . . . . . 21 67 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 21 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 23 69 Intellectual Property and Copyright Statements . . . . . . . . . . 24 71 1. Terminology 73 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 74 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 75 document are to be interpreted as described in RFC 2119 [RFC2119]. 77 This document uses terminology from RFC 2866 [RFC2866]. 79 This document uses the word "malformed" with respect to RADIUS 80 packets, particularly in the context of counters of "malformed 81 packets". While RFC 2866 does not provide an explicit definition of 82 "malformed", malformed generally means that the implementation has 83 determined the packet does not match the format defined in RFC 2866. 84 Those implementations are used in deployments today, and thus set the 85 de-facto definition of "malformed". 87 2. Introduction 89 This memo defines a portion of the Management Information Base (MIB) 90 for use with network management protocols in the Internet community. 91 The objects defined within this memo relate to the Remote 92 Authentication Dial-In User Service (RADIUS) Accounting Server as 93 defined in RFC 2866 [RFC2866]. 95 3. The Internet-Standard Management Framework 97 For a detailed overview of the documents that describe the current 98 Internet-Standard Management Framework, please refer to section 7 of 99 RFC 3410 [RFC3410]. 101 Managed objects are accessed via a virtual information store, termed 102 the Management Information Base or MIB. MIB objects are generally 103 accessed through the Simple Network Management Protocol (SNMP). 104 Objects in the MIB are defined using the mechanisms defined in the 105 Structure of Management Information (SMI). This memo specifies a MIB 106 module that is compliant to the SMIv2, which is described in STD 58, 107 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 108 [RFC2580]. 110 4. Scope of Changes 112 This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server 113 MIB, by deprecating the radiusAccClientTable table and adding a new 114 table, radiusAccClientExtTable, containing 115 radiusAccClientInetAddressType and radiusAccClientInetAddress. The 116 purpose of these added MIB objects is to support version neutral IP 117 addressing formats. The existing table containing 118 radiusAccClientAddress is deprecated. The remaining MIB objects from 119 RFC 2621 are carried forward into this document. This memo also adds 120 UNITS and REFERENCE clauses to selected objects. 122 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 123 version neutral IP addresses, contains the following recommendation. 125 'In particular, when revising a MIB module that contains IPv4 126 specific tables, it is suggested to define new tables using the 127 textual conventions defined in this memo [RFC 4001] that support all 128 versions of IP. The status of the new tables SHOULD be "current", 129 whereas the status of the old IP version specific tables SHOULD be 130 changed to "deprecated". The other approach, of having multiple 131 similar tables for different IP versions, is strongly discouraged.' 133 5. Structure of the MIB Module 135 The RADIUS accounting protocol, described in RFC 2866 [RFC2866], 136 distinguishes between the client function and the server function. 137 In RADIUS accounting, clients send Accounting-Requests, and servers 138 reply with Accounting-Responses. Typically Network Access Server 139 (NAS) devices implement the client function, and thus would be 140 expected to implement the RADIUS accounting client MIB, while RADIUS 141 accounting servers implement the server function, and thus would be 142 expected to implement the RADIUS accounting server MIB. 144 However, it is possible for a RADIUS accounting entity to perform 145 both client and server functions. For example, a RADIUS proxy may 146 act as a server to one or more RADIUS accounting clients, while 147 simultaneously acting as an accounting client to one or more 148 accounting servers. In such situations, it is expected that RADIUS 149 entities combining client and server functionality will support both 150 the client and server MIBs. 152 This MIB module contains thirteen scalars as well as a single table, 153 the RADIUS Accounting Client Table, which contains one row for each 154 RADIUS accounting client with which the server shares a secret. Each 155 entry in the RADIUS Accounting Client Table includes eleven columns 156 presenting a view of the activity of the RADIUS accounting server. 158 6. Deprecated Objects 160 The deprecated table in this MIB is carried forward from RFC 2621 161 [RFC2621]. There are two conditions under which it MAY be desirable 162 for managed entities to continue to support the deprecated table: 164 1. The managed entity only supports IPv4 address formats. 165 2. The managed entity supports both IPv4 and IPv6 address formats, 166 and the deprecated table is supported for backwards compatibility 167 with older management stations. This option SHOULD only be used 168 when the IP addresses in the new table are in IPv4 format and can 169 accurately be represented in both the new table and the 170 deprecated table. 172 Managed entities SHOULD NOT instantiate row entries in the deprecated 173 table, containing IPv4-only address objects, when the RADIUS 174 accounting client address represented in such a table row is not an 175 IPv4 address. Managed entities SHOULD NOT return inaccurate values 176 of IP address or SNMP object access errors for IPv4-only address 177 objects in otherwise populated tables. When row entries exist in 178 both the deprecated IPv4-only table and the new IP version neutral 179 table that describe the same RADIUS accounting client, the row 180 indexes SHOULD be the same for the corresponding rows in each table, 181 to facilitate correlation of these related rows by management 182 applications. 184 7. Definitions 186 RADIUS-ACCT-SERVER-MIB DEFINITIONS ::= BEGIN 188 IMPORTS 189 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 190 Counter32, Integer32, 191 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 192 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 193 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 194 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 196 radiusAccServMIB MODULE-IDENTITY 197 LAST-UPDATED "200601250000Z" -- 25 Jan 2006 198 ORGANIZATION "IETF RADIUS Extensions Working Group." 199 CONTACT-INFO 200 " Bernard Aboba 201 Microsoft 202 One Microsoft Way 203 Redmond, WA 98052 204 US 205 Phone: +1 425 936 6605 206 EMail: bernarda@microsoft.com" 207 DESCRIPTION 208 "The MIB module for entities implementing the server 209 side of the Remote Authentication Dial-In User 210 Service (RADIUS) accounting protocol." 211 REVISION "200601250000Z" -- 25 Jan 2006 212 DESCRIPTION "Revised version as published in RFC xxxx. 213 This version obsoletes that of RFC 2621 by deprecating the 214 MIB table containing IPv4-only address formats and defining 215 a new table to add support for version neutral IP address 216 formats. The remaining MIB objects from RFC 2621 are carried 217 forward into this version." 218 REVISION "9906110000Z" -- 11 Jun 1999 219 DESCRIPTION "Initial version as published in RFC 2621." 221 -- RFC Editor: replace xxxx with actual RFC number at the time of 222 -- publication, and remove this note. 224 ::= { radiusAccounting 1 } 226 radiusMIB OBJECT-IDENTITY 227 STATUS current 228 DESCRIPTION 229 "The OID assigned to RADIUS MIB work by the IANA." 230 ::= { mib-2 67 } 232 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} 234 radiusAccServMIBObjects OBJECT IDENTIFIER 235 ::= { radiusAccServMIB 1 } 237 radiusAccServ OBJECT IDENTIFIER 238 ::= { radiusAccServMIBObjects 1 } 240 radiusAccServIdent OBJECT-TYPE 241 SYNTAX SnmpAdminString 242 MAX-ACCESS read-only 243 STATUS current 244 DESCRIPTION 245 "The implementation identification string for the 246 RADIUS accounting server software in use on the 247 system, for example; `FNS-2.1'" 248 ::= {radiusAccServ 1} 250 radiusAccServUpTime OBJECT-TYPE 251 SYNTAX TimeTicks 252 MAX-ACCESS read-only 253 STATUS current 254 DESCRIPTION 255 "If the server has a persistent state (e.g., a 256 process), this value will be the time elapsed (in 257 hundredths of a second) since the server process was 258 started. For software without persistent state, this 259 value will be zero." 260 ::= {radiusAccServ 2} 262 radiusAccServResetTime OBJECT-TYPE 263 SYNTAX TimeTicks 264 MAX-ACCESS read-only 265 STATUS current 266 DESCRIPTION 267 "If the server has a persistent state (e.g., a process) 268 and supports a `reset' operation (e.g., can be told to 269 re-read configuration files), this value will be the 270 time elapsed (in hundredths of a second) since the 271 server was `reset.' For software that does not 272 have persistence or does not support a `reset' 273 operation, this value will be zero." 274 ::= {radiusAccServ 3} 276 radiusAccServConfigReset OBJECT-TYPE 277 SYNTAX INTEGER { other(1), 278 reset(2), 279 initializing(3), 280 running(4)} 281 MAX-ACCESS read-write 282 STATUS current 283 DESCRIPTION 284 "Status/action object to reinitialize any persistent 285 server state. When set to reset(2), any persistent 286 server state (such as a process) is reinitialized as 287 if the server had just been started. This value will 288 never be returned by a read operation. When read, 289 one of the following values will be returned: 290 other(1) - server in some unknown state; 291 initializing(3) - server (re)initializing; 292 running(4) - server currently running." 293 ::= {radiusAccServ 4} 295 radiusAccServTotalRequests OBJECT-TYPE 296 SYNTAX Counter32 297 UNITS "packets" 298 MAX-ACCESS read-only 299 STATUS current 300 DESCRIPTION 301 "The number of packets received on the 302 accounting port." 304 REFERENCE "RFC 2866 section 4.1" 305 ::= { radiusAccServ 5 } 307 radiusAccServTotalInvalidRequests OBJECT-TYPE 308 SYNTAX Counter32 309 UNITS "packets" 310 MAX-ACCESS read-only 311 STATUS current 312 DESCRIPTION 313 "The number of RADIUS Accounting-Request packets 314 received from unknown addresses." 315 REFERENCE "RFC 2866 sections 2, 4.1" 316 ::= { radiusAccServ 6 } 318 radiusAccServTotalDupRequests OBJECT-TYPE 319 SYNTAX Counter32 320 UNITS "packets" 321 MAX-ACCESS read-only 322 STATUS current 323 DESCRIPTION 324 "The number of duplicate RADIUS Accounting-Request 325 packets received." 326 REFERENCE "RFC 2866 section 4.1" 327 ::= { radiusAccServ 7 } 329 radiusAccServTotalResponses OBJECT-TYPE 330 SYNTAX Counter32 331 UNITS "packets" 332 MAX-ACCESS read-only 333 STATUS current 334 DESCRIPTION 335 "The number of RADIUS Accounting-Response packets 336 sent." 337 REFERENCE "RFC 2866 section 4.2" 338 ::= { radiusAccServ 8 } 340 radiusAccServTotalMalformedRequests OBJECT-TYPE 341 SYNTAX Counter32 342 UNITS "packets" 343 MAX-ACCESS read-only 344 STATUS current 345 DESCRIPTION 346 "The number of malformed RADIUS Accounting-Request 347 packets received. Bad authenticators or unknown 348 types are not included as malformed Access-Requests." 349 REFERENCE "RFC 2866 section 3" 350 ::= { radiusAccServ 9 } 352 radiusAccServTotalBadAuthenticators OBJECT-TYPE 353 SYNTAX Counter32 354 UNITS "packets" 355 MAX-ACCESS read-only 356 STATUS current 357 DESCRIPTION 358 "The number of RADIUS Accounting-Request packets 359 which contained an invalid authenticator." 360 REFERENCE "RFC 2866 section 3" 361 ::= { radiusAccServ 10 } 363 radiusAccServTotalPacketsDropped OBJECT-TYPE 364 SYNTAX Counter32 365 UNITS "packets" 366 MAX-ACCESS read-only 367 STATUS current 368 DESCRIPTION 369 "The number of incoming packets silently discarded 370 for a reason other than malformed, bad authenticators, 371 or unknown types." 372 REFERENCE "RFC 2866 section 3" 373 ::= { radiusAccServ 11 } 375 radiusAccServTotalNoRecords OBJECT-TYPE 376 SYNTAX Counter32 377 UNITS "packets" 378 MAX-ACCESS read-only 379 STATUS current 380 DESCRIPTION 381 "The number of RADIUS Accounting-Request packets 382 which were received and responded to but not 383 recorded." 384 ::= { radiusAccServ 12 } 386 radiusAccServTotalUnknownTypes OBJECT-TYPE 387 SYNTAX Counter32 388 UNITS "packets" 389 MAX-ACCESS read-only 390 STATUS current 391 DESCRIPTION 392 "The number of RADIUS packets of unknown type which 393 were received." 394 REFERENCE "RFC 2866 section 4" 395 ::= { radiusAccServ 13 } 397 radiusAccClientTable OBJECT-TYPE 398 SYNTAX SEQUENCE OF RadiusAccClientEntry 399 MAX-ACCESS not-accessible 400 STATUS deprecated 401 DESCRIPTION 402 "The (conceptual) table listing the RADIUS accounting 403 clients with which the server shares a secret." 404 ::= { radiusAccServ 14 } 406 radiusAccClientEntry OBJECT-TYPE 407 SYNTAX RadiusAccClientEntry 408 MAX-ACCESS not-accessible 409 STATUS deprecated 410 DESCRIPTION 411 "An entry (conceptual row) representing a RADIUS 412 accounting client with which the server shares a 413 secret." 414 INDEX { radiusAccClientIndex } 415 ::= { radiusAccClientTable 1 } 417 RadiusAccClientEntry ::= SEQUENCE { 418 radiusAccClientIndex Integer32, 419 radiusAccClientAddress IpAddress, 420 radiusAccClientID SnmpAdminString, 421 radiusAccServPacketsDropped Counter32, 422 radiusAccServRequests Counter32, 423 radiusAccServDupRequests Counter32, 424 radiusAccServResponses Counter32, 425 radiusAccServBadAuthenticators Counter32, 426 radiusAccServMalformedRequests Counter32, 427 radiusAccServNoRecords Counter32, 428 radiusAccServUnknownTypes Counter32 429 } 431 radiusAccClientIndex OBJECT-TYPE 432 SYNTAX Integer32 (1..2147483647) 433 MAX-ACCESS not-accessible 434 STATUS deprecated 435 DESCRIPTION 436 "A number uniquely identifying each RADIUS accounting 437 client with which this server communicates." 438 ::= { radiusAccClientEntry 1 } 440 radiusAccClientAddress OBJECT-TYPE 441 SYNTAX IpAddress 442 MAX-ACCESS read-only 443 STATUS deprecated 444 DESCRIPTION 445 "The NAS-IP-Address of the RADIUS accounting client 446 referred to in this table entry." 447 ::= { radiusAccClientEntry 2 } 449 radiusAccClientID OBJECT-TYPE 450 SYNTAX SnmpAdminString 451 MAX-ACCESS read-only 452 STATUS deprecated 453 DESCRIPTION 454 "The NAS-Identifier of the RADIUS accounting client 455 referred to in this table entry. This is not 456 necessarily the same as sysName in MIB II." 457 REFERENCE "RFC 2865 section 5.32" 458 ::= { radiusAccClientEntry 3 } 460 -- Server Counters 461 -- 462 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 463 -- UnknownTypes - PacketsDropped - Responses = Pending 464 -- 465 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 466 -- UnknownTypes - PacketsDropped - NoRecords = entries logged 468 radiusAccServPacketsDropped OBJECT-TYPE 469 SYNTAX Counter32 470 UNITS "packets" 471 MAX-ACCESS read-only 472 STATUS deprecated 473 DESCRIPTION 474 "The number of incoming packets received 475 from this client and silently discarded 476 for a reason other than malformed, bad 477 authenticators, or unknown types." 478 REFERENCE "RFC 2866 section 3" 479 ::= { radiusAccClientEntry 4 } 481 radiusAccServRequests OBJECT-TYPE 482 SYNTAX Counter32 483 UNITS "packets" 484 MAX-ACCESS read-only 485 STATUS deprecated 486 DESCRIPTION 487 "The number of packets received from this 488 client on the accounting port." 489 REFERENCE "RFC 2866 section 4.1" 490 ::= { radiusAccClientEntry 5 } 492 radiusAccServDupRequests OBJECT-TYPE 493 SYNTAX Counter32 494 UNITS "packets" 495 MAX-ACCESS read-only 496 STATUS deprecated 497 DESCRIPTION 498 "The number of duplicate RADIUS Accounting-Request 499 packets received from this client." 500 REFERENCE "RFC 2866 section 4.1" 501 ::= { radiusAccClientEntry 6 } 503 radiusAccServResponses OBJECT-TYPE 504 SYNTAX Counter32 505 UNITS "packets" 506 MAX-ACCESS read-only 507 STATUS deprecated 508 DESCRIPTION 509 "The number of RADIUS Accounting-Response packets 510 sent to this client." 511 REFERENCE "RFC 2866 section 4.2" 512 ::= { radiusAccClientEntry 7 } 514 radiusAccServBadAuthenticators OBJECT-TYPE 515 SYNTAX Counter32 516 UNITS "packets" 517 MAX-ACCESS read-only 518 STATUS deprecated 519 DESCRIPTION 520 "The number of RADIUS Accounting-Request packets 521 which contained invalid authenticators received 522 from this client." 523 REFERENCE "RFC 2866 section 3" 524 ::= { radiusAccClientEntry 8 } 526 radiusAccServMalformedRequests OBJECT-TYPE 527 SYNTAX Counter32 528 UNITS "packets" 529 MAX-ACCESS read-only 530 STATUS deprecated 531 DESCRIPTION 532 "The number of malformed RADIUS Accounting-Request 533 packets which were received from this client. 534 Bad authenticators and unknown types 535 are not included as malformed Accounting-Requests." 536 REFERENCE "RFC 2866 section 3" 537 ::= { radiusAccClientEntry 9 } 539 radiusAccServNoRecords OBJECT-TYPE 540 SYNTAX Counter32 541 UNITS "packets" 542 MAX-ACCESS read-only 543 STATUS deprecated 544 DESCRIPTION 545 "The number of RADIUS Accounting-Request packets 546 which were received and responded to but not 547 recorded." 548 ::= { radiusAccClientEntry 10 } 550 radiusAccServUnknownTypes OBJECT-TYPE 551 SYNTAX Counter32 552 UNITS "packets" 553 MAX-ACCESS read-only 554 STATUS deprecated 555 DESCRIPTION 556 "The number of RADIUS packets of unknown type which 557 were received from this client." 558 REFERENCE "RFC 2866 section 4" 559 ::= { radiusAccClientEntry 11 } 561 -- New MIB objects added in this revision 563 radiusAccClientExtTable OBJECT-TYPE 564 SYNTAX SEQUENCE OF RadiusAccClientExtEntry 565 MAX-ACCESS not-accessible 566 STATUS current 567 DESCRIPTION 568 "The (conceptual) table listing the RADIUS accounting 569 clients with which the server shares a secret." 570 ::= { radiusAccServ 15 } 572 radiusAccClientExtEntry OBJECT-TYPE 573 SYNTAX RadiusAccClientExtEntry 574 MAX-ACCESS not-accessible 575 STATUS current 576 DESCRIPTION 577 "An entry (conceptual row) representing a RADIUS 578 accounting client with which the server shares a 579 secret." 580 INDEX { radiusAccClientExtIndex } 581 ::= { radiusAccClientExtTable 1 } 583 RadiusAccClientExtEntry ::= SEQUENCE { 584 radiusAccClientExtIndex Integer32, 585 radiusAccClientInetAddressType InetAddressType, 586 radiusAccClientInetAddress InetAddress, 587 radiusAccClientExtID SnmpAdminString, 588 radiusAccServExtPacketsDropped Counter32, 589 radiusAccServExtRequests Counter32, 590 radiusAccServExtDupRequests Counter32, 591 radiusAccServExtResponses Counter32, 592 radiusAccServExtBadAuthenticators Counter32, 593 radiusAccServExtMalformedRequests Counter32, 594 radiusAccServExtNoRecords Counter32, 595 radiusAccServExtUnknownTypes Counter32 596 } 598 radiusAccClientExtIndex OBJECT-TYPE 599 SYNTAX Integer32 (1..2147483647) 600 MAX-ACCESS not-accessible 601 STATUS current 602 DESCRIPTION 603 "A number uniquely identifying each RADIUS accounting 604 client with which this server communicates." 605 ::= { radiusAccClientExtEntry 1 } 607 radiusAccClientInetAddressType OBJECT-TYPE 608 SYNTAX InetAddressType 609 MAX-ACCESS read-only 610 STATUS current 611 DESCRIPTION 612 "The type of address format used for the 613 radiusAccClientInetAddress object." 614 ::= { radiusAccClientExtEntry 2 } 616 radiusAccClientInetAddress OBJECT-TYPE 617 SYNTAX InetAddress 618 MAX-ACCESS read-only 619 STATUS current 620 DESCRIPTION 621 "The IP address of the RADIUS accounting 622 client referred to in this table entry, using 623 the IPv6 address format." 624 ::= { radiusAccClientExtEntry 3 } 626 radiusAccClientExtID OBJECT-TYPE 627 SYNTAX SnmpAdminString 628 MAX-ACCESS read-only 629 STATUS current 630 DESCRIPTION 631 "The NAS-Identifier of the RADIUS accounting client 632 referred to in this table entry. This is not 633 necessarily the same as sysName in MIB II." 634 REFERENCE "RFC 2865 section 5.32" 635 ::= { radiusAccClientExtEntry 4 } 637 -- Server Counters 638 -- 639 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 640 -- UnknownTypes - PacketsDropped - Responses = Pending 641 -- 642 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 643 -- UnknownTypes - PacketsDropped - NoRecords = entries logged 645 radiusAccServExtPacketsDropped OBJECT-TYPE 646 SYNTAX Counter32 647 UNITS "packets" 648 MAX-ACCESS read-only 649 STATUS current 650 DESCRIPTION 651 "The number of incoming packets received 652 from this client and silently discarded 653 for a reason other than malformed, bad 654 authenticators, or unknown types." 655 REFERENCE "RFC 2866 section 3" 656 ::= { radiusAccClientExtEntry 5 } 658 radiusAccServExtRequests OBJECT-TYPE 659 SYNTAX Counter32 660 UNITS "packets" 661 MAX-ACCESS read-only 662 STATUS current 663 DESCRIPTION 664 "The number of packets received from this 665 client on the accounting port." 666 REFERENCE "RFC 2866 section 4.1" 667 ::= { radiusAccClientExtEntry 6 } 669 radiusAccServExtDupRequests OBJECT-TYPE 670 SYNTAX Counter32 671 UNITS "packets" 672 MAX-ACCESS read-only 673 STATUS current 674 DESCRIPTION 675 "The number of duplicate RADIUS Accounting-Request 676 packets received from this client." 677 REFERENCE "RFC 2866 section 4.1" 678 ::= { radiusAccClientExtEntry 7 } 680 radiusAccServExtResponses OBJECT-TYPE 681 SYNTAX Counter32 682 UNITS "packets" 683 MAX-ACCESS read-only 684 STATUS current 685 DESCRIPTION 686 "The number of RADIUS Accounting-Response packets 687 sent to this client." 689 REFERENCE "RFC 2866 section 4.2" 690 ::= { radiusAccClientExtEntry 8 } 692 radiusAccServExtBadAuthenticators OBJECT-TYPE 693 SYNTAX Counter32 694 UNITS "packets" 695 MAX-ACCESS read-only 696 STATUS current 697 DESCRIPTION 698 "The number of RADIUS Accounting-Request packets 699 which contained invalid authenticators received 700 from this client." 701 REFERENCE "RFC 2866 section 3" 702 ::= { radiusAccClientExtEntry 9 } 704 radiusAccServExtMalformedRequests OBJECT-TYPE 705 SYNTAX Counter32 706 UNITS "packets" 707 MAX-ACCESS read-only 708 STATUS current 709 DESCRIPTION 710 "The number of malformed RADIUS Accounting-Request 711 packets which were received from this client. 712 Bad authenticators and unknown types 713 are not included as malformed Accounting-Requests." 714 REFERENCE "RFC 2866 section 3" 715 ::= { radiusAccClientExtEntry 10 } 717 radiusAccServExtNoRecords OBJECT-TYPE 718 SYNTAX Counter32 719 UNITS "packets" 720 MAX-ACCESS read-only 721 STATUS current 722 DESCRIPTION 723 "The number of RADIUS Accounting-Request packets 724 which were received and responded to but not 725 recorded." 726 ::= { radiusAccClientExtEntry 11 } 728 radiusAccServExtUnknownTypes OBJECT-TYPE 729 SYNTAX Counter32 730 UNITS "packets" 731 MAX-ACCESS read-only 732 STATUS current 733 DESCRIPTION 734 "The number of RADIUS packets of unknown type which 735 were received from this client." 736 REFERENCE "RFC 2866 section 4" 737 ::= { radiusAccClientExtEntry 12 } 739 -- conformance information 741 radiusAccServMIBConformance OBJECT IDENTIFIER 742 ::= { radiusAccServMIB 2 } 744 radiusAccServMIBCompliances OBJECT IDENTIFIER 745 ::= { radiusAccServMIBConformance 1 } 747 radiusAccServMIBGroups OBJECT IDENTIFIER 748 ::= { radiusAccServMIBConformance 2 } 750 -- compliance statements 752 radiusAccServMIBCompliance MODULE-COMPLIANCE 753 STATUS deprecated 754 DESCRIPTION 755 "The compliance statement for accounting servers 756 implementing the RADIUS Accounting Server MIB. 757 Implementation of this module is for IPv4-only 758 entities, or for backwards compatibility use with 759 entities that support both IPv4 and IPv6." 760 MODULE -- this module 761 MANDATORY-GROUPS { radiusAccServMIBGroup } 763 OBJECT radiusAccServConfigReset 764 WRITE-SYNTAX INTEGER { reset(2) } 765 DESCRIPTION "The only SETable value is 'reset' (2)." 767 ::= { radiusAccServMIBCompliances 1 } 769 radiusAccServExtMIBCompliance MODULE-COMPLIANCE 770 STATUS current 771 DESCRIPTION 772 "The compliance statement for accounting 773 servers implementing the RADIUS Accounting 774 Server IPv6 Extensions MIB. Implementation of 775 this module is for entities that support IPv6, 776 or support IPv4 and IPv6." 777 MODULE -- this module 778 MANDATORY-GROUPS { radiusAccServExtMIBGroup } 780 OBJECT radiusAccServConfigReset 781 WRITE-SYNTAX INTEGER { reset(2) } 782 DESCRIPTION "The only SETable value is 'reset' (2)." 784 ::= { radiusAccServMIBCompliances 2 } 786 -- units of conformance 788 radiusAccServMIBGroup OBJECT-GROUP 789 OBJECTS {radiusAccServIdent, 790 radiusAccServUpTime, 791 radiusAccServResetTime, 792 radiusAccServConfigReset, 793 radiusAccServTotalRequests, 794 radiusAccServTotalInvalidRequests, 795 radiusAccServTotalDupRequests, 796 radiusAccServTotalResponses, 797 radiusAccServTotalMalformedRequests, 798 radiusAccServTotalBadAuthenticators, 799 radiusAccServTotalPacketsDropped, 800 radiusAccServTotalNoRecords, 801 radiusAccServTotalUnknownTypes, 802 radiusAccClientAddress, 803 radiusAccClientID, 804 radiusAccServPacketsDropped, 805 radiusAccServRequests, 806 radiusAccServDupRequests, 807 radiusAccServResponses, 808 radiusAccServBadAuthenticators, 809 radiusAccServMalformedRequests, 810 radiusAccServNoRecords, 811 radiusAccServUnknownTypes 812 } 813 STATUS deprecated 814 DESCRIPTION 815 "The collection of objects providing management of 816 a RADIUS Accounting Server." 817 ::= { radiusAccServMIBGroups 1 } 819 radiusAccServExtMIBGroup OBJECT-GROUP 820 OBJECTS {radiusAccServIdent, 821 radiusAccServUpTime, 822 radiusAccServResetTime, 823 radiusAccServConfigReset, 824 radiusAccServTotalRequests, 825 radiusAccServTotalInvalidRequests, 826 radiusAccServTotalDupRequests, 827 radiusAccServTotalResponses, 828 radiusAccServTotalMalformedRequests, 829 radiusAccServTotalBadAuthenticators, 830 radiusAccServTotalPacketsDropped, 831 radiusAccServTotalNoRecords, 832 radiusAccServTotalUnknownTypes, 833 radiusAccClientInetAddressType, 834 radiusAccClientInetAddress, 835 radiusAccClientExtID, 836 radiusAccServExtPacketsDropped, 837 radiusAccServExtRequests, 838 radiusAccServExtDupRequests, 839 radiusAccServExtResponses, 840 radiusAccServExtBadAuthenticators, 841 radiusAccServExtMalformedRequests, 842 radiusAccServExtNoRecords, 843 radiusAccServExtUnknownTypes 844 } 845 STATUS current 846 DESCRIPTION 847 "The collection of objects providing management of 848 a RADIUS Accounting Server." 849 ::= { radiusAccServMIBGroups 2 } 851 END 853 8. IANA Considerations 855 This document requires no new IANA assignments. 857 9. Security Considerations 859 There are management objects (radiusAccServConfigReset) defined in 860 this MIB that have a MAX-ACCESS clause of read-write and/or read- 861 create. Such objects may be considered sensitive or vulnerable in 862 some network environments. The support for SET operations in a non- 863 secure environment without proper protection can have a negative 864 effect on network operations. These are: 866 radiusAccServConfigReset This object can be used to reinitialize the 867 persistent state of any server. When set to reset(2), any 868 persistent server state (such as a process) is reinitialized as if 869 the server had just been started. Depending on the server 870 impelmentation details, this action may or may not interrupt the 871 processing of pending request in the server. Abuse of this object 872 may lead to a Denial of Service attack on the server. 874 There are a number of managed objects in this MIB that may contain 875 sensitive information. These are: 877 radiusAccClientIPAddress This can be used to determine the address of 878 the RADIUS accounting client with which the server is 879 communicating. This information could be useful in mounting an 880 attack on the accounting client. 881 radiusAccClientInetAddress This can be used to determine the address 882 of the RADIUS accounting client with which the server is 883 communicating. This information could be useful in mounting an 884 attack on the accounting client. 886 It is thus important to control even GET access to these objects and 887 possibly to even encrypt the values of these object when sending them 888 over the network via SNMP. Not all versions of SNMP provide features 889 for such a secure environment. 891 SNMP versions prior to SNMPv3 do not provide a secure environment. 892 Even if the network itself is secure (for example by using IPsec), 893 there is no control as to who on the secure network is allowed to 894 access and GET/SET (read/change/create/delete) the objects in this 895 MIB. 897 It is RECOMMENDED that implementers consider the security features as 898 provided by the SNMPv3 framework (see [RFC3410], section 8), 899 including full support for the SNMPv3 cryptographic mechanisms (for 900 authentication and privacy). 902 Further, deployment of SNMP versions prior to SNMPv3 is NOT 903 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 904 enable cryptographic security. It is then a customer/operator 905 responsibility to ensure that the SNMP entity giving access to an 906 instance of this MIB module is properly configured to give access to 907 the objects only to those principals (users) that have legitimate 908 rights to indeed GET or SET (change/create/delete) them. 910 10. References 912 10.1. Normative References 914 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 915 Requirement Levels", BCP 14, RFC 2119, March 1997. 917 [RFC2574] Blumenthal, U. and B. Wijnen, "User-based Security Model 918 (USM) for version 3 of the Simple Network Management 919 Protocol (SNMPv3)", RFC 2574, April 1999. 921 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 922 Access Control Model (VACM) for the Simple Network 923 Management Protocol (SNMP)", RFC 2575, April 1999. 925 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 926 Schoenwaelder, Ed., "Structure of Management Information 927 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 929 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 930 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 931 STD 58, RFC 2579, April 1999. 933 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 934 "Conformance Statements for SMIv2", STD 58, RFC 2580, 935 April 1999. 937 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 939 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 940 "Introduction and Applicability Statements for Internet- 941 Standard Management Framework", RFC 3410, December 2002. 943 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 944 Architecture for Describing Simple Network Management 945 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 946 December 2002. 948 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 949 Simple Network Management Protocol (SNMP)", STD 62, 950 RFC 3418, December 2002. 952 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 953 Schoenwaelder, "Textual Conventions for Internet Network 954 Addresses", RFC 4001, February 2005. 956 10.2. Informative References 958 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 959 RFC 2621, June 1999. 961 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 962 "Remote Authentication Dial In User Service (RADIUS)", 963 RFC 2865, June 2000. 965 Appendix A. Acknowledgments 967 The Authors of the original MIB are Bernard Aboba and Glen Zorn. 969 Many thanks to all reviewers, especially to Dave Harrington, Dan 970 Romascanu, C.M. Heard, Bruno Pape and Greg Weber. 972 Author's Address 974 David B. Nelson 975 Enterasys Networks 976 50 Minuteman Road 977 Andover, MA 01810 978 USA 980 Email: dnelson@enterasys.com 982 Intellectual Property Statement 984 The IETF takes no position regarding the validity or scope of any 985 Intellectual Property Rights or other rights that might be claimed to 986 pertain to the implementation or use of the technology described in 987 this document or the extent to which any license under such rights 988 might or might not be available; nor does it represent that it has 989 made any independent effort to identify any such rights. Information 990 on the procedures with respect to rights in RFC documents can be 991 found in BCP 78 and BCP 79. 993 Copies of IPR disclosures made to the IETF Secretariat and any 994 assurances of licenses to be made available, or the result of an 995 attempt made to obtain a general license or permission for the use of 996 such proprietary rights by implementers or users of this 997 specification can be obtained from the IETF on-line IPR repository at 998 http://www.ietf.org/ipr. 1000 The IETF invites any interested party to bring to its attention any 1001 copyrights, patents or patent applications, or other proprietary 1002 rights that may cover technology that may be required to implement 1003 this standard. Please address the information to the IETF at 1004 ietf-ipr@ietf.org. 1006 Disclaimer of Validity 1008 This document and the information contained herein are provided on an 1009 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1010 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1011 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1012 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1013 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1014 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1016 Copyright Statement 1018 Copyright (C) The Internet Society (2006). This document is subject 1019 to the rights, licenses and restrictions contained in BCP 78, and 1020 except as set forth therein, the authors retain all their rights. 1022 Acknowledgment 1024 Funding for the RFC Editor function is currently provided by the 1025 Internet Society.