idnits 2.17.1 draft-ietf-radext-rfc2621bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1065. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1042. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1049. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1055. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 12, 2006) is 6558 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2865' is defined on line 1004, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2866 -- Obsolete informational reference (is this intentional?): RFC 2621 (Obsoleted by RFC 4671) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Enterasys Networks 4 Obsoletes: RFC 2621 (if approved) May 12, 2006 5 Expires: November 13, 2006 7 RADIUS Acct Server MIB (IPv6) 8 draft-ietf-radext-rfc2621bis-03.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on November 13, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This memo defines a set of extensions which instrument RADIUS 42 accounting server functions. These extensions represent a portion of 43 the Management Information Base (MIB) for use with network management 44 protocols in the Internet community. Using these extensions IP-based 45 management stations can manage RADIUS accounting servers. 47 This memo obsoletes RFC 2621 by deprecating the MIB table containing 48 IPv4-only address formats and defining a new table to add support for 49 version neutral IP address formats. The remaining MIB objects from 50 RFC 2621 are carried forward into this document. This memo also adds 51 UNITS and REFERENCE clauses to selected objects. 53 Table of Contents 55 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. The Internet-Standard Management Framework . . . . . . . . . . 3 58 4. Scope of Changes . . . . . . . . . . . . . . . . . . . . . . . 3 59 5. Structure of the MIB Module . . . . . . . . . . . . . . . . . 4 60 6. Deprecated Objects . . . . . . . . . . . . . . . . . . . . . . 4 61 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 63 9. Security Considerations . . . . . . . . . . . . . . . . . . . 21 64 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 65 10.1. Normative References . . . . . . . . . . . . . . . . . . 22 66 10.2. Informative References . . . . . . . . . . . . . . . . . 22 67 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 23 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24 69 Intellectual Property and Copyright Statements . . . . . . . . . . 25 71 1. Terminology 73 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 74 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 75 document are to be interpreted as described in RFC 2119 [RFC2119]. 77 This document uses terminology from RFC 2866 [RFC2866]. 79 This document uses the word "malformed" with respect to RADIUS 80 packets, particularly in the context of counters of "malformed 81 packets". While RFC 2866 does not provide an explicit definition of 82 "malformed", malformed generally means that the implementation has 83 determined the packet does not match the format defined in RFC 2866. 84 Those implementations are used in deployments today, and thus set the 85 de-facto definition of "malformed". 87 2. Introduction 89 This memo defines a portion of the Management Information Base (MIB) 90 for use with network management protocols in the Internet community. 91 The objects defined within this memo relate to the Remote 92 Authentication Dial-In User Service (RADIUS) Accounting Server as 93 defined in RFC 2866 [RFC2866]. 95 3. The Internet-Standard Management Framework 97 For a detailed overview of the documents that describe the current 98 Internet-Standard Management Framework, please refer to section 7 of 99 RFC 3410 [RFC3410]. 101 Managed objects are accessed via a virtual information store, termed 102 the Management Information Base or MIB. MIB objects are generally 103 accessed through the Simple Network Management Protocol (SNMP). 104 Objects in the MIB are defined using the mechanisms defined in the 105 Structure of Management Information (SMI). This memo specifies a MIB 106 module that is compliant to the SMIv2, which is described in STD 58, 107 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 108 [RFC2580]. 110 4. Scope of Changes 112 This document obsoletes RFC 2621 [RFC2621], RADIUS Accounting Server 113 MIB, by deprecating the radiusAccClientTable table and adding a new 114 table, radiusAccClientExtTable, containing 115 radiusAccClientInetAddressType and radiusAccClientInetAddress. The 116 purpose of these added MIB objects is to support version neutral IP 117 addressing formats. The existing table containing 118 radiusAccClientAddress is deprecated. The remaining MIB objects from 119 RFC 2621 are carried forward into this document. This memo also adds 120 UNITS and REFERENCE clauses to selected objects. 122 RFC 4001 [RFC4001], which defines the SMI Textual Conventions for 123 version neutral IP addresses, contains the following recommendation. 125 'In particular, when revising a MIB module that contains IPv4 126 specific tables, it is suggested to define new tables using the 127 textual conventions defined in this memo [RFC4001] that support all 128 versions of IP. The status of the new tables SHOULD be "current", 129 whereas the status of the old IP version specific tables SHOULD be 130 changed to "deprecated". The other approach, of having multiple 131 similar tables for different IP versions, is strongly discouraged.' 133 5. Structure of the MIB Module 135 The RADIUS accounting protocol, described in RFC 2866 [RFC2866], 136 distinguishes between the client function and the server function. 137 In RADIUS accounting, clients send Accounting-Requests, and servers 138 reply with Accounting-Responses. Typically Network Access Server 139 (NAS) devices implement the client function, and thus would be 140 expected to implement the RADIUS accounting client MIB, while RADIUS 141 accounting servers implement the server function, and thus would be 142 expected to implement the RADIUS accounting server MIB. 144 However, it is possible for a RADIUS accounting entity to perform 145 both client and server functions. For example, a RADIUS proxy may 146 act as a server to one or more RADIUS accounting clients, while 147 simultaneously acting as an accounting client to one or more 148 accounting servers. In such situations, it is expected that RADIUS 149 entities combining client and server functionality will support both 150 the client and server MIBs. 152 This MIB module contains thirteen scalars as well as a single table, 153 the RADIUS Accounting Client Table, which contains one row for each 154 RADIUS accounting client with which the server shares a secret. Each 155 entry in the RADIUS Accounting Client Table includes twelve columns 156 presenting a view of the activity of the RADIUS accounting server. 158 6. Deprecated Objects 160 The deprecated table in this MIB is carried forward from RFC 2621 161 [RFC2621]. There are two conditions under which it MAY be desirable 162 for managed entities to continue to support the deprecated table: 164 1. The managed entity only supports IPv4 address formats. 165 2. The managed entity supports both IPv4 and IPv6 address formats, 166 and the deprecated table is supported for backwards compatibility 167 with older management stations. This option SHOULD only be used 168 when the IP addresses in the new table are in IPv4 format and can 169 accurately be represented in both the new table and the 170 deprecated table. 172 Managed entities SHOULD NOT instantiate row entries in the deprecated 173 table, containing IPv4-only address objects, when the RADIUS 174 accounting client address represented in such a table row is not an 175 IPv4 address. Managed entities SHOULD NOT return inaccurate values 176 of IP address or SNMP object access errors for IPv4-only address 177 objects in otherwise populated tables. When row entries exist in 178 both the deprecated IPv4-only table and the new IP version neutral 179 table that describe the same RADIUS accounting client, the row 180 indexes SHOULD be the same for the corresponding rows in each table, 181 to facilitate correlation of these related rows by management 182 applications. 184 7. Definitions 186 RADIUS-ACCT-SERVER-MIB DEFINITIONS ::= BEGIN 188 IMPORTS 189 MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY, 190 Counter32, Integer32, 191 IpAddress, TimeTicks, mib-2 FROM SNMPv2-SMI 192 SnmpAdminString FROM SNMP-FRAMEWORK-MIB 193 InetAddressType, InetAddress FROM INET-ADDRESS-MIB 194 MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF; 196 radiusAccServMIB MODULE-IDENTITY 197 LAST-UPDATED "200605100000Z" -- 10 May 2006 198 ORGANIZATION "IETF RADIUS Extensions Working Group." 199 CONTACT-INFO 200 " Bernard Aboba 201 Microsoft 202 One Microsoft Way 203 Redmond, WA 98052 204 US 205 Phone: +1 425 936 6605 206 EMail: bernarda@microsoft.com" 207 DESCRIPTION 208 "The MIB module for entities implementing the server 209 side of the Remote Authentication Dial-In User 210 Service (RADIUS) accounting protocol. Copyright (C) 211 The Internet Society (2006). This version of this 212 MIB module is part of RFC xxxx; see the RFC itself 213 forfull legal notices." 215 -- RFC Editor: replace xxxx with actual RFC number at the time of 216 -- publication, and remove this note. 218 REVISION "200605100000Z" -- 10 May 2006 219 DESCRIPTION 220 "Revised version as published in RFC xxxx. This 221 version obsoletes that of RFC 2621 by deprecating 222 the MIB table containing IPv4-only address formats 223 and defining a new table to add support for version 224 neutral IP address formats. The remaining MIB objects 225 from RFC 2621 are carried forward into this version." 227 -- RFC Editor: replace xxxx with actual RFC number at the time of 228 -- publication, and remove this note. 230 REVISION "199906110000Z" -- 11 Jun 1999 231 DESCRIPTION "Initial version as published in RFC 2621." 233 ::= { radiusAccounting 1 } 235 radiusMIB OBJECT-IDENTITY 236 STATUS current 237 DESCRIPTION 238 "The OID assigned to RADIUS MIB work by the IANA." 239 ::= { mib-2 67 } 241 radiusAccounting OBJECT IDENTIFIER ::= {radiusMIB 2} 243 radiusAccServMIBObjects OBJECT IDENTIFIER 244 ::= { radiusAccServMIB 1 } 246 radiusAccServ OBJECT IDENTIFIER 247 ::= { radiusAccServMIBObjects 1 } 249 radiusAccServIdent OBJECT-TYPE 250 SYNTAX SnmpAdminString 251 MAX-ACCESS read-only 252 STATUS current 253 DESCRIPTION 254 "The implementation identification string for the 255 RADIUS accounting server software in use on the 256 system, for example; `FNS-2.1'" 257 ::= {radiusAccServ 1} 259 radiusAccServUpTime OBJECT-TYPE 260 SYNTAX TimeTicks 261 MAX-ACCESS read-only 262 STATUS current 263 DESCRIPTION 264 "If the server has a persistent state (e.g., a 265 process), this value will be the time elapsed (in 266 hundredths of a second) since the server process was 267 started. For software without persistent state, this 268 value will be zero." 269 ::= {radiusAccServ 2} 271 radiusAccServResetTime OBJECT-TYPE 272 SYNTAX TimeTicks 273 MAX-ACCESS read-only 274 STATUS current 275 DESCRIPTION 276 "If the server has a persistent state (e.g., a process) 277 and supports a `reset' operation (e.g., can be told to 278 re-read configuration files), this value will be the 279 time elapsed (in hundredths of a second) since the 280 server was `reset.' For software that does not 281 have persistence or does not support a `reset' 282 operation, this value will be zero." 283 ::= {radiusAccServ 3} 285 radiusAccServConfigReset OBJECT-TYPE 286 SYNTAX INTEGER { other(1), 287 reset(2), 288 initializing(3), 289 running(4)} 290 MAX-ACCESS read-write 291 STATUS current 292 DESCRIPTION 293 "Status/action object to reinitialize any persistent 294 server state. When set to reset(2), any persistent 295 server state (such as a process) is reinitialized as 296 if the server had just been started. This value will 297 never be returned by a read operation. When read, 298 one of the following values will be returned: 299 other(1) - server in some unknown state; 300 initializing(3) - server (re)initializing; 301 running(4) - server currently running." 302 ::= {radiusAccServ 4} 304 radiusAccServTotalRequests OBJECT-TYPE 305 SYNTAX Counter32 306 UNITS "packets" 307 MAX-ACCESS read-only 308 STATUS current 309 DESCRIPTION 310 "The number of packets received on the 311 accounting port." 312 REFERENCE "RFC 2866 section 4.1" 313 ::= { radiusAccServ 5 } 315 radiusAccServTotalInvalidRequests OBJECT-TYPE 316 SYNTAX Counter32 317 UNITS "packets" 318 MAX-ACCESS read-only 319 STATUS current 320 DESCRIPTION 321 "The number of RADIUS Accounting-Request packets 322 received from unknown addresses." 323 REFERENCE "RFC 2866 sections 2, 4.1" 324 ::= { radiusAccServ 6 } 326 radiusAccServTotalDupRequests OBJECT-TYPE 327 SYNTAX Counter32 328 UNITS "packets" 329 MAX-ACCESS read-only 330 STATUS current 331 DESCRIPTION 332 "The number of duplicate RADIUS Accounting-Request 333 packets received." 334 REFERENCE "RFC 2866 section 4.1" 335 ::= { radiusAccServ 7 } 337 radiusAccServTotalResponses OBJECT-TYPE 338 SYNTAX Counter32 339 UNITS "packets" 340 MAX-ACCESS read-only 341 STATUS current 342 DESCRIPTION 343 "The number of RADIUS Accounting-Response packets 344 sent." 345 REFERENCE "RFC 2866 section 4.2" 346 ::= { radiusAccServ 8 } 348 radiusAccServTotalMalformedRequests OBJECT-TYPE 349 SYNTAX Counter32 350 UNITS "packets" 351 MAX-ACCESS read-only 352 STATUS current 353 DESCRIPTION 354 "The number of malformed RADIUS Accounting-Request 355 packets received. Bad authenticators or unknown 356 types are not included as malformed Access-Requests." 357 REFERENCE "RFC 2866 section 3" 358 ::= { radiusAccServ 9 } 360 radiusAccServTotalBadAuthenticators OBJECT-TYPE 361 SYNTAX Counter32 362 UNITS "packets" 363 MAX-ACCESS read-only 364 STATUS current 365 DESCRIPTION 366 "The number of RADIUS Accounting-Request packets 367 which contained an invalid authenticator." 368 REFERENCE "RFC 2866 section 3" 369 ::= { radiusAccServ 10 } 371 radiusAccServTotalPacketsDropped OBJECT-TYPE 372 SYNTAX Counter32 373 UNITS "packets" 374 MAX-ACCESS read-only 375 STATUS current 376 DESCRIPTION 377 "The number of incoming packets silently discarded 378 for a reason other than malformed, bad authenticators, 379 or unknown types." 380 REFERENCE "RFC 2866 section 3" 381 ::= { radiusAccServ 11 } 383 radiusAccServTotalNoRecords OBJECT-TYPE 384 SYNTAX Counter32 385 UNITS "packets" 386 MAX-ACCESS read-only 387 STATUS current 388 DESCRIPTION 389 "The number of RADIUS Accounting-Request packets 390 which were received and responded to but not 391 recorded." 392 ::= { radiusAccServ 12 } 394 radiusAccServTotalUnknownTypes OBJECT-TYPE 395 SYNTAX Counter32 396 UNITS "packets" 397 MAX-ACCESS read-only 398 STATUS current 399 DESCRIPTION 400 "The number of RADIUS packets of unknown type which 401 were received." 402 REFERENCE "RFC 2866 section 4" 403 ::= { radiusAccServ 13 } 405 radiusAccClientTable OBJECT-TYPE 406 SYNTAX SEQUENCE OF RadiusAccClientEntry 407 MAX-ACCESS not-accessible 408 STATUS deprecated 409 DESCRIPTION 410 "The (conceptual) table listing the RADIUS accounting 411 clients with which the server shares a secret." 412 ::= { radiusAccServ 14 } 414 radiusAccClientEntry OBJECT-TYPE 415 SYNTAX RadiusAccClientEntry 416 MAX-ACCESS not-accessible 417 STATUS deprecated 418 DESCRIPTION 419 "An entry (conceptual row) representing a RADIUS 420 accounting client with which the server shares a 421 secret." 422 INDEX { radiusAccClientIndex } 423 ::= { radiusAccClientTable 1 } 425 RadiusAccClientEntry ::= SEQUENCE { 426 radiusAccClientIndex Integer32, 427 radiusAccClientAddress IpAddress, 428 radiusAccClientID SnmpAdminString, 429 radiusAccServPacketsDropped Counter32, 430 radiusAccServRequests Counter32, 431 radiusAccServDupRequests Counter32, 432 radiusAccServResponses Counter32, 433 radiusAccServBadAuthenticators Counter32, 434 radiusAccServMalformedRequests Counter32, 435 radiusAccServNoRecords Counter32, 436 radiusAccServUnknownTypes Counter32 437 } 439 radiusAccClientIndex OBJECT-TYPE 440 SYNTAX Integer32 (1..2147483647) 441 MAX-ACCESS not-accessible 442 STATUS deprecated 443 DESCRIPTION 444 "A number uniquely identifying each RADIUS accounting 445 client with which this server communicates." 446 ::= { radiusAccClientEntry 1 } 448 radiusAccClientAddress OBJECT-TYPE 449 SYNTAX IpAddress 450 MAX-ACCESS read-only 451 STATUS deprecated 452 DESCRIPTION 453 "The NAS-IP-Address of the RADIUS accounting client 454 referred to in this table entry." 455 ::= { radiusAccClientEntry 2 } 457 radiusAccClientID OBJECT-TYPE 458 SYNTAX SnmpAdminString 459 MAX-ACCESS read-only 460 STATUS deprecated 461 DESCRIPTION 462 "The NAS-Identifier of the RADIUS accounting client 463 referred to in this table entry. This is not 464 necessarily the same as sysName in MIB II." 465 REFERENCE "RFC 2865 section 5.32" 466 ::= { radiusAccClientEntry 3 } 468 -- Server Counters 469 -- 470 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 471 -- UnknownTypes - PacketsDropped - Responses = Pending 472 -- 473 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 474 -- UnknownTypes - PacketsDropped - NoRecords = entries logged 476 radiusAccServPacketsDropped OBJECT-TYPE 477 SYNTAX Counter32 478 UNITS "packets" 479 MAX-ACCESS read-only 480 STATUS deprecated 481 DESCRIPTION 482 "The number of incoming packets received 483 from this client and silently discarded 484 for a reason other than malformed, bad 485 authenticators, or unknown types." 486 REFERENCE "RFC 2866 section 3" 487 ::= { radiusAccClientEntry 4 } 489 radiusAccServRequests OBJECT-TYPE 490 SYNTAX Counter32 491 UNITS "packets" 492 MAX-ACCESS read-only 493 STATUS deprecated 494 DESCRIPTION 495 "The number of packets received from this 496 client on the accounting port." 497 REFERENCE "RFC 2866 section 4.1" 498 ::= { radiusAccClientEntry 5 } 500 radiusAccServDupRequests OBJECT-TYPE 501 SYNTAX Counter32 502 UNITS "packets" 503 MAX-ACCESS read-only 504 STATUS deprecated 505 DESCRIPTION 506 "The number of duplicate RADIUS Accounting-Request 507 packets received from this client." 508 REFERENCE "RFC 2866 section 4.1" 509 ::= { radiusAccClientEntry 6 } 511 radiusAccServResponses OBJECT-TYPE 512 SYNTAX Counter32 513 UNITS "packets" 514 MAX-ACCESS read-only 515 STATUS deprecated 516 DESCRIPTION 517 "The number of RADIUS Accounting-Response packets 518 sent to this client." 519 REFERENCE "RFC 2866 section 4.2" 520 ::= { radiusAccClientEntry 7 } 522 radiusAccServBadAuthenticators OBJECT-TYPE 523 SYNTAX Counter32 524 UNITS "packets" 525 MAX-ACCESS read-only 526 STATUS deprecated 527 DESCRIPTION 528 "The number of RADIUS Accounting-Request packets 529 which contained invalid authenticators received 530 from this client." 531 REFERENCE "RFC 2866 section 3" 532 ::= { radiusAccClientEntry 8 } 534 radiusAccServMalformedRequests OBJECT-TYPE 535 SYNTAX Counter32 536 UNITS "packets" 537 MAX-ACCESS read-only 538 STATUS deprecated 539 DESCRIPTION 540 "The number of malformed RADIUS Accounting-Request 541 packets which were received from this client. 542 Bad authenticators and unknown types 543 are not included as malformed Accounting-Requests." 545 REFERENCE "RFC 2866 section 3" 546 ::= { radiusAccClientEntry 9 } 548 radiusAccServNoRecords OBJECT-TYPE 549 SYNTAX Counter32 550 UNITS "packets" 551 MAX-ACCESS read-only 552 STATUS deprecated 553 DESCRIPTION 554 "The number of RADIUS Accounting-Request packets 555 which were received and responded to but not 556 recorded." 557 ::= { radiusAccClientEntry 10 } 559 radiusAccServUnknownTypes OBJECT-TYPE 560 SYNTAX Counter32 561 UNITS "packets" 562 MAX-ACCESS read-only 563 STATUS deprecated 564 DESCRIPTION 565 "The number of RADIUS packets of unknown type which 566 were received from this client." 567 REFERENCE "RFC 2866 section 4" 568 ::= { radiusAccClientEntry 11 } 570 -- New MIB objects added in this revision 572 radiusAccClientExtTable OBJECT-TYPE 573 SYNTAX SEQUENCE OF RadiusAccClientExtEntry 574 MAX-ACCESS not-accessible 575 STATUS current 576 DESCRIPTION 577 "The (conceptual) table listing the RADIUS accounting 578 clients with which the server shares a secret." 579 ::= { radiusAccServ 15 } 581 radiusAccClientExtEntry OBJECT-TYPE 582 SYNTAX RadiusAccClientExtEntry 583 MAX-ACCESS not-accessible 584 STATUS current 585 DESCRIPTION 586 "An entry (conceptual row) representing a RADIUS 587 accounting client with which the server shares a 588 secret." 589 INDEX { radiusAccClientExtIndex } 590 ::= { radiusAccClientExtTable 1 } 592 RadiusAccClientExtEntry ::= SEQUENCE { 593 radiusAccClientExtIndex Integer32, 594 radiusAccClientInetAddressType InetAddressType, 595 radiusAccClientInetAddress InetAddress, 596 radiusAccClientExtID SnmpAdminString, 597 radiusAccServExtPacketsDropped Counter32, 598 radiusAccServExtRequests Counter32, 599 radiusAccServExtDupRequests Counter32, 600 radiusAccServExtResponses Counter32, 601 radiusAccServExtBadAuthenticators Counter32, 602 radiusAccServExtMalformedRequests Counter32, 603 radiusAccServExtNoRecords Counter32, 604 radiusAccServExtUnknownTypes Counter32, 605 radiusAccServerCounterDiscontinuity TimeTicks 606 } 608 radiusAccClientExtIndex OBJECT-TYPE 609 SYNTAX Integer32 (1..2147483647) 610 MAX-ACCESS not-accessible 611 STATUS current 612 DESCRIPTION 613 "A number uniquely identifying each RADIUS accounting 614 client with which this server communicates." 615 ::= { radiusAccClientExtEntry 1 } 617 radiusAccClientInetAddressType OBJECT-TYPE 618 SYNTAX InetAddressType 619 MAX-ACCESS read-only 620 STATUS current 621 DESCRIPTION 622 "The type of address format used for the 623 radiusAccClientInetAddress object." 624 ::= { radiusAccClientExtEntry 2 } 626 radiusAccClientInetAddress OBJECT-TYPE 627 SYNTAX InetAddress 628 MAX-ACCESS read-only 629 STATUS current 630 DESCRIPTION 631 "The IP address of the RADIUS accounting 632 client referred to in this table entry, using 633 the IPv6 address format." 634 ::= { radiusAccClientExtEntry 3 } 636 radiusAccClientExtID OBJECT-TYPE 637 SYNTAX SnmpAdminString 638 MAX-ACCESS read-only 639 STATUS current 640 DESCRIPTION 641 "The NAS-Identifier of the RADIUS accounting client 642 referred to in this table entry. This is not 643 necessarily the same as sysName in MIB II." 644 REFERENCE "RFC 2865 section 5.32" 645 ::= { radiusAccClientExtEntry 4 } 647 -- Server Counters 648 -- 649 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 650 -- UnknownTypes - PacketsDropped - Responses = Pending 651 -- 652 -- Requests - DupRequests - BadAuthenticators - MalformedRequests - 653 -- UnknownTypes - PacketsDropped - NoRecords = entries logged 655 radiusAccServExtPacketsDropped OBJECT-TYPE 656 SYNTAX Counter32 657 UNITS "packets" 658 MAX-ACCESS read-only 659 STATUS current 660 DESCRIPTION 661 "The number of incoming packets received from this 662 client and silently discarded for a reason other 663 than malformed, bad authenticators, or unknown types. 664 This counter may experience a discontinuity when the 665 RADIUS Accounting Server module within the managed 666 entity is reinitialized, as indicated by the current 667 value of radiusAccServerCounterDiscontinuity." 668 REFERENCE "RFC 2866 section 3" 669 ::= { radiusAccClientExtEntry 5 } 671 radiusAccServExtRequests OBJECT-TYPE 672 SYNTAX Counter32 673 UNITS "packets" 674 MAX-ACCESS read-only 675 STATUS current 676 DESCRIPTION 677 "The number of packets received from this 678 client on the accounting port. This counter 679 may experience a discontinuity when the 680 RADIUS Accounting Server module within the 681 managed entity is reinitialized, as indicated by 682 the current value of 683 radiusAccServerCounterDiscontinuity." 684 REFERENCE "RFC 2866 section 4.1" 685 ::= { radiusAccClientExtEntry 6 } 687 radiusAccServExtDupRequests OBJECT-TYPE 688 SYNTAX Counter32 689 UNITS "packets" 690 MAX-ACCESS read-only 691 STATUS current 692 DESCRIPTION 693 "The number of duplicate RADIUS Accounting-Request 694 packets received from this client. This counter 695 may experience a discontinuity when the RADIUS 696 Accounting Server module within the managed 697 entity is reinitialized, as indicated by the 698 current value of 699 radiusAccServerCounterDiscontinuity." 700 REFERENCE "RFC 2866 section 4.1" 701 ::= { radiusAccClientExtEntry 7 } 703 radiusAccServExtResponses OBJECT-TYPE 704 SYNTAX Counter32 705 UNITS "packets" 706 MAX-ACCESS read-only 707 STATUS current 708 DESCRIPTION 709 "The number of RADIUS Accounting-Response packets 710 sent to this client. This counter may experience 711 a discontinuity when the RADIUS Accounting Server 712 module within the managed entity is reinitialized, 713 as indicated by the current value of 714 radiusAccServerCounterDiscontinuity." 715 REFERENCE "RFC 2866 section 4.2" 716 ::= { radiusAccClientExtEntry 8 } 718 radiusAccServExtBadAuthenticators OBJECT-TYPE 719 SYNTAX Counter32 720 UNITS "packets" 721 MAX-ACCESS read-only 722 STATUS current 723 DESCRIPTION 724 "The number of RADIUS Accounting-Request packets 725 which contained invalid authenticators received 726 from this client. This counter may experience a 727 discontinuity when the RADIUS Accounting Server 728 module within the managed entity is reinitialized, 729 as indicated by the current value of 730 radiusAccServerCounterDiscontinuity." 731 REFERENCE "RFC 2866 section 3" 732 ::= { radiusAccClientExtEntry 9 } 734 radiusAccServExtMalformedRequests OBJECT-TYPE 735 SYNTAX Counter32 736 UNITS "packets" 737 MAX-ACCESS read-only 738 STATUS current 739 DESCRIPTION 740 "The number of malformed RADIUS Accounting-Request 741 packets which were received from this client. 742 Bad authenticators and unknown types are not 743 included as malformed Accounting-Requests. This 744 counter may experience a discontinuity when the 745 RADIUS Accounting Server module within the managed 746 entity is reinitialized, as indicated by the current 747 value of radiusAccServerCounterDiscontinuity." 748 REFERENCE "RFC 2866 section 3" 749 ::= { radiusAccClientExtEntry 10 } 751 radiusAccServExtNoRecords OBJECT-TYPE 752 SYNTAX Counter32 753 UNITS "packets" 754 MAX-ACCESS read-only 755 STATUS current 756 DESCRIPTION 757 "The number of RADIUS Accounting-Request packets 758 which were received and responded to but not 759 recorded. This counter may experience a 760 discontinuity when the RADIUS Accounting Server 761 module within the managed entity is reinitialized, 762 as indicated by the current value of 763 radiusAccServerCounterDiscontinuity." 764 ::= { radiusAccClientExtEntry 11 } 766 radiusAccServExtUnknownTypes OBJECT-TYPE 767 SYNTAX Counter32 768 UNITS "packets" 769 MAX-ACCESS read-only 770 STATUS current 771 DESCRIPTION 772 "The number of RADIUS packets of unknown type which 773 were received from this client. This counter may 774 experience a discontinuity when the RADIUS Accounting 775 Server module within the managed entity is 776 reinitialized, as indicated by the current value of 777 radiusAccServerCounterDiscontinuity." 778 REFERENCE "RFC 2866 section 4" 779 ::= { radiusAccClientExtEntry 12 } 781 radiusAccServerCounterDiscontinuity OBJECT-TYPE 782 SYNTAX TimeTicks 783 UNITS "centiseconds" 784 MAX-ACCESS read-only 785 STATUS current 786 DESCRIPTION 787 "The number of centiseconds since the last 788 discontinuity in the RADIUS Accounting Server 789 counters. A discontinuity may be the result of 790 a reinitialization of the RADIUS Accounting Server 791 module within the managed entity." 792 ::= { radiusAccClientExtEntry 13 } 794 -- conformance information 796 radiusAccServMIBConformance OBJECT IDENTIFIER 797 ::= { radiusAccServMIB 2 } 799 radiusAccServMIBCompliances OBJECT IDENTIFIER 800 ::= { radiusAccServMIBConformance 1 } 802 radiusAccServMIBGroups OBJECT IDENTIFIER 803 ::= { radiusAccServMIBConformance 2 } 805 -- compliance statements 807 radiusAccServMIBCompliance MODULE-COMPLIANCE 808 STATUS deprecated 809 DESCRIPTION 810 "The compliance statement for accounting servers 811 implementing the RADIUS Accounting Server MIB. 812 Implementation of this module is for IPv4-only 813 entities, or for backwards compatibility use with 814 entities that support both IPv4 and IPv6." 815 MODULE -- this module 816 MANDATORY-GROUPS { radiusAccServMIBGroup } 818 OBJECT radiusAccServConfigReset 819 WRITE-SYNTAX INTEGER { reset(2) } 820 DESCRIPTION "The only SETable value is 'reset' (2)." 822 ::= { radiusAccServMIBCompliances 1 } 824 radiusAccServExtMIBCompliance MODULE-COMPLIANCE 825 STATUS current 826 DESCRIPTION 827 "The compliance statement for accounting 828 servers implementing the RADIUS Accounting 829 Server IPv6 Extensions MIB. Implementation of 830 this module is for entities that support IPv6, 831 or support IPv4 and IPv6." 832 MODULE -- this module 833 MANDATORY-GROUPS { radiusAccServExtMIBGroup } 835 OBJECT radiusAccServConfigReset 836 WRITE-SYNTAX INTEGER { reset(2) } 837 DESCRIPTION "The only SETable value is 'reset' (2)." 839 OBJECT radiusAccClientInetAddressType 840 SYNTAX InetAddressType { ipv4(1), ipv6(2) } 841 DESCRIPTION 842 "An implementation is only required to support 843 IPv4 and globally unique IPv6 addresses." 845 OBJECT radiusAccClientInetAddress 846 SYNTAX InetAddress ( SIZE (4|16) ) 847 DESCRIPTION 848 "An implementation is only required to support 849 IPv4 and globally unique IPv6 addresses." 851 ::= { radiusAccServMIBCompliances 2 } 853 -- units of conformance 855 radiusAccServMIBGroup OBJECT-GROUP 856 OBJECTS {radiusAccServIdent, 857 radiusAccServUpTime, 858 radiusAccServResetTime, 859 radiusAccServConfigReset, 860 radiusAccServTotalRequests, 861 radiusAccServTotalInvalidRequests, 862 radiusAccServTotalDupRequests, 863 radiusAccServTotalResponses, 864 radiusAccServTotalMalformedRequests, 865 radiusAccServTotalBadAuthenticators, 866 radiusAccServTotalPacketsDropped, 867 radiusAccServTotalNoRecords, 868 radiusAccServTotalUnknownTypes, 869 radiusAccClientAddress, 870 radiusAccClientID, 871 radiusAccServPacketsDropped, 872 radiusAccServRequests, 873 radiusAccServDupRequests, 874 radiusAccServResponses, 875 radiusAccServBadAuthenticators, 876 radiusAccServMalformedRequests, 877 radiusAccServNoRecords, 878 radiusAccServUnknownTypes 879 } 880 STATUS deprecated 881 DESCRIPTION 882 "The collection of objects providing management of 883 a RADIUS Accounting Server." 884 ::= { radiusAccServMIBGroups 1 } 886 radiusAccServExtMIBGroup OBJECT-GROUP 887 OBJECTS {radiusAccServIdent, 888 radiusAccServUpTime, 889 radiusAccServResetTime, 890 radiusAccServConfigReset, 891 radiusAccServTotalRequests, 892 radiusAccServTotalInvalidRequests, 893 radiusAccServTotalDupRequests, 894 radiusAccServTotalResponses, 895 radiusAccServTotalMalformedRequests, 896 radiusAccServTotalBadAuthenticators, 897 radiusAccServTotalPacketsDropped, 898 radiusAccServTotalNoRecords, 899 radiusAccServTotalUnknownTypes, 900 radiusAccClientInetAddressType, 901 radiusAccClientInetAddress, 902 radiusAccClientExtID, 903 radiusAccServExtPacketsDropped, 904 radiusAccServExtRequests, 905 radiusAccServExtDupRequests, 906 radiusAccServExtResponses, 907 radiusAccServExtBadAuthenticators, 908 radiusAccServExtMalformedRequests, 909 radiusAccServExtNoRecords, 910 radiusAccServExtUnknownTypes, 911 radiusAccServerCounterDiscontinuity 912 } 913 STATUS current 914 DESCRIPTION 915 "The collection of objects providing management of 916 a RADIUS Accounting Server." 917 ::= { radiusAccServMIBGroups 2 } 919 END 921 8. IANA Considerations 923 This document requires no new IANA assignments. 925 9. Security Considerations 927 There are management objects (radiusAccServConfigReset) defined in 928 this MIB that have a MAX-ACCESS clause of read-write and/or read- 929 create. Such objects may be considered sensitive or vulnerable in 930 some network environments. The support for SET operations in a non- 931 secure environment without proper protection can have a negative 932 effect on network operations. These are: 934 radiusAccServConfigReset This object can be used to reinitialize the 935 persistent state of any server. When set to reset(2), any 936 persistent server state (such as a process) is reinitialized as if 937 the server had just been started. Depending on the server 938 impelmentation details, this action may or may not interrupt the 939 processing of pending request in the server. Abuse of this object 940 may lead to a Denial of Service attack on the server. 942 There are a number of managed objects in this MIB that may contain 943 sensitive information. These are: 945 radiusAccClientIPAddress This can be used to determine the address of 946 the RADIUS accounting client with which the server is 947 communicating. This information could be useful in mounting an 948 attack on the accounting client. 949 radiusAccClientInetAddress This can be used to determine the address 950 of the RADIUS accounting client with which the server is 951 communicating. This information could be useful in mounting an 952 attack on the accounting client. 954 It is thus important to control even GET access to these objects and 955 possibly to even encrypt the values of these object when sending them 956 over the network via SNMP. Not all versions of SNMP provide features 957 for such a secure environment. 959 SNMP versions prior to SNMPv3 do not provide a secure environment. 960 Even if the network itself is secure (for example by using IPsec), 961 there is no control as to who on the secure network is allowed to 962 access and GET/SET (read/change/create/delete) the objects in this 963 MIB. 965 It is RECOMMENDED that implementers consider the security features as 966 provided by the SNMPv3 framework (see [RFC3410], section 8), 967 including full support for the SNMPv3 cryptographic mechanisms (for 968 authentication and privacy). 970 Further, deployment of SNMP versions prior to SNMPv3 is NOT 971 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 972 enable cryptographic security. It is then a customer/operator 973 responsibility to ensure that the SNMP entity giving access to an 974 instance of this MIB module is properly configured to give access to 975 the objects only to those principals (users) that have legitimate 976 rights to indeed GET or SET (change/create/delete) them. 978 10. References 980 10.1. Normative References 982 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 983 Requirement Levels", BCP 14, RFC 2119, March 1997. 985 [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. 986 Schoenwaelder, Ed., "Structure of Management Information 987 Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. 989 [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. 990 Schoenwaelder, Ed., "Textual Conventions for SMIv2", 991 STD 58, RFC 2579, April 1999. 993 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 994 "Conformance Statements for SMIv2", STD 58, RFC 2580, 995 April 1999. 997 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 999 10.2. Informative References 1001 [RFC2621] Zorn, G. and B. Aboba, "RADIUS Accounting Server MIB", 1002 RFC 2621, June 1999. 1004 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 1005 "Remote Authentication Dial In User Service (RADIUS)", 1006 RFC 2865, June 2000. 1008 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1009 "Introduction and Applicability Statements for Internet- 1010 Standard Management Framework", RFC 3410, December 2002. 1012 [RFC4001] Daniele, M., Haberman, B., Routhier, S., and J. 1013 Schoenwaelder, "Textual Conventions for Internet Network 1014 Addresses", RFC 4001, February 2005. 1016 Appendix A. Acknowledgments 1018 The authors of the original MIB are Bernard Aboba and Glen Zorn. 1020 Many thanks to all reviewers, especially to Dave Harrington, Dan 1021 Romascanu, C.M. Heard, Bruno Pape, Greg Weber and Bert Wijnen. 1023 Author's Address 1025 David B. Nelson 1026 Enterasys Networks 1027 50 Minuteman Road 1028 Andover, MA 01810 1029 USA 1031 Email: dnelson@enterasys.com 1033 Intellectual Property Statement 1035 The IETF takes no position regarding the validity or scope of any 1036 Intellectual Property Rights or other rights that might be claimed to 1037 pertain to the implementation or use of the technology described in 1038 this document or the extent to which any license under such rights 1039 might or might not be available; nor does it represent that it has 1040 made any independent effort to identify any such rights. Information 1041 on the procedures with respect to rights in RFC documents can be 1042 found in BCP 78 and BCP 79. 1044 Copies of IPR disclosures made to the IETF Secretariat and any 1045 assurances of licenses to be made available, or the result of an 1046 attempt made to obtain a general license or permission for the use of 1047 such proprietary rights by implementers or users of this 1048 specification can be obtained from the IETF on-line IPR repository at 1049 http://www.ietf.org/ipr. 1051 The IETF invites any interested party to bring to its attention any 1052 copyrights, patents or patent applications, or other proprietary 1053 rights that may cover technology that may be required to implement 1054 this standard. Please address the information to the IETF at 1055 ietf-ipr@ietf.org. 1057 Disclaimer of Validity 1059 This document and the information contained herein are provided on an 1060 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1061 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1062 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1063 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1064 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1065 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1067 Copyright Statement 1069 Copyright (C) The Internet Society (2006). This document is subject 1070 to the rights, licenses and restrictions contained in BCP 78, and 1071 except as set forth therein, the authors retain all their rights. 1073 Acknowledgment 1075 Funding for the RFC Editor function is currently provided by the 1076 Internet Society.